Bilko — Balkan Accounting SaaS

Cloud accounting for Balkan SMBs (Serbia, BiH, Croatia). Fiken-inspired.

Frontend

Next.js 15 frontend — pages, components, design system

Frontend

Pages & Routing

Bilko Frontend Pages

Framework: Next.js 15 (App Router) Current State: Fully implemented with mock data Future State: Will require API integration to replace mock data

Route Architecture Overview

graph TD
    ROOT["app/layout.tsx\n(Root HTML, Inter font, metadata)"]

    ROOT --> LANDING["/ — Landing Page\napp/page.tsx"]
    ROOT --> AUTH["(auth) group\nNo shared layout"]
    ROOT --> DASH["(dashboard) group\napp/(dashboard)/layout.tsx\nSidebar + TopBar"]

    AUTH --> LOGIN["/login\nLoginPage"]
    AUTH --> REGISTER["/register\nRegisterPage"]

    DASH --> DASHBOARD["/dashboard\nDashboard Home"]
    DASH --> INVOICES["/invoices\nInvoice List"]
    DASH --> INV_NEW["/invoices/new\nInvoice Wizard"]
    DASH --> EXPENSES["/expenses\nExpense List"]
    DASH --> EXPENSES_NEW["/expenses/new\nAdd Expense"]
    DASH --> PURCHASES["/purchases\nPurchases (alias → expenses)"]
    DASH --> BANKING["/banking\nBanking Hub"]
    DASH --> REPORTS["/reports\nReports Hub"]
    DASH --> REPORTS_PL["/reports/profit-loss\nP&L Report"]
    DASH --> REPORTS_VAT["/reports/vat\nVAT Report"]
    DASH --> SETTINGS["/settings\nSettings"]

    LANDING --> LOGIN
    LOGIN --> DASHBOARD
    REGISTER --> DASHBOARD

    classDef layout fill:#1e1e2e,color:#cdd6f4,stroke:#89b4fa
    classDef auth fill:#313244,color:#cba6f7,stroke:#cba6f7
    classDef dashboard fill:#1e1e2e,color:#a6e3a1,stroke:#a6e3a1
    classDef reports fill:#313244,color:#89dceb,stroke:#89dceb
    class ROOT,DASH layout
    class AUTH,LOGIN,REGISTER auth
    class DASHBOARD,INVOICES,INV_NEW,EXPENSES,EXPENSES_NEW,PURCHASES,BANKING,SETTINGS dashboard
    class REPORTS,REPORTS_PL,REPORTS_VAT reports

Layouts

Root Layout

Dashboard Layout

graph LR
    DL["DashboardLayout\napp/(dashboard)/layout.tsx"]

    DL --> SB["Sidebar\ncomponents/sidebar.tsx\n• Logo\n• Main nav (5 items)\n• Bottom nav (Settings)\n• Active state via usePathname"]
    DL --> TB["TopBar\ncomponents/top-bar.tsx\n• Mobile menu button\n• Search (Cmd+K)\n• Notifications bell\n• User dropdown menu"]
    DL --> SLOT["Page Slot\n{children}"]

    SB -->|"dark sidebar #111113"| SCREEN["Rendered Screen"]
    TB -->|"white top bar"| SCREEN
    SLOT -->|"light content #FAFAFA"| SCREEN

Pages

Dashboard (Home)

graph TD
    DP["Dashboard Page\n/dashboard"]

    DP --> ROW1["Row 1 — Metric Cards\ngrid-cols-1 md:grid-cols-3"]
    DP --> ROW2["Row 2 — Charts\ngrid-cols-1 md:grid-cols-3"]
    DP --> ROW3["Row 3 — Tables + Actions\ngrid-cols-1 lg:grid-cols-3"]

    ROW1 --> MC1["Cash Balance\nwith trend arrow"]
    ROW1 --> MC2["Revenue MTD\ncurrent month total"]
    ROW1 --> MC3["Unpaid Invoices\nwith warning badge"]

    ROW2 --> CH1["P&L Bar Chart\nRecharts BarChart\n6-month revenue/expenses/profit"]
    ROW2 --> CH2["Receivables Aging\nRecharts StackedBarChart\ncurrent/30d/60d/90d+"]
    ROW2 --> CH3["Expenses by Category\nRecharts PieChart (donut)\nper-category breakdown"]

    ROW3 --> TBL["Recent Transactions\nRecharts Table\nlast 5 transactions"]
    ROW3 --> QA["Quick Actions\nNew Invoice\nNew Expense\nImport Bank Statement"]

Invoices List

Invoice Creation Wizard

Expenses List

Purchases (Alias)

Banking

Reports Hub

graph TD
    RH["Reports Hub\n/reports"]

    RH --> PL["Profit & Loss\n/reports/profit-loss\nLIVE — expandable revenue/expenses\nfetches from API with mock fallback"]
    RH --> BS["Balance Sheet\nCOMING SOON"]
    RH --> CF["Cash Flow Statement\nCOMING SOON"]
    RH --> VAT["VAT/PDV Report\n/reports/vat\nLIVE — 3-step wizard"]
    RH --> TB["Trial Balance\nCOMING SOON"]
    RH --> GL["General Ledger\nCOMING SOON"]

    PL --> PL_R["Revenue Section\n(expandable, breakdown by category)"]
    PL --> PL_E["Expenses Section\n(expandable, breakdown by category)"]
    PL --> PL_NP["Net Profit + Margin"]
    PL --> PL_EX["Export PDF / Export Excel"]

    VAT --> VAT_S1["Step 1: Reconciliation Check\n(warn if unreconciled transactions)"]
    VAT --> VAT_S2["Step 2: VAT Audit\n(all VAT transactions table)"]
    VAT --> VAT_S3["Step 3: Return Summary\nBox 1 / Box 2 / Box 3"]

    classDef live fill:#1e3a2f,color:#a6e3a1,stroke:#a6e3a1
    classDef soon fill:#2a1e2e,color:#888,stroke:#555
    class PL,VAT live
    class BS,CF,TB,GL soon

VAT Report

Settings

Authentication Flow

sequenceDiagram
    participant U as User
    participant AP as AuthProvider
    participant AS as useAuthStore
    participant R as Router
    participant API as Backend API

    U->>AP: Navigate to /dashboard
    AP->>AS: checkAuth()
    AS->>API: GET /api/auth/me (Bearer token)

    alt API not configured (demo mode)
        AP-->>U: Render page directly (demoFallback=true)
    else Token valid
        API-->>AS: 200 OK — user data
        AS-->>AP: isAuthenticated=true
        AP-->>U: Render protected page
    else Token invalid / no token
        API-->>AS: 401 Unauthorized
        AS-->>AP: isAuthenticated=false
        AP->>R: router.replace('/login')
        R-->>U: Redirect to /login
        U->>U: Enter email + password
        U->>AS: login(email, password)
        AS->>API: POST /api/auth/login
        API-->>AS: 200 OK — JWT token
        AS->>R: router.push('/dashboard')
        R-->>U: Redirect to /dashboard
    end

Screenshot Descriptions

Dashboard

User sees:

Invoices List

User sees:

Invoice Wizard

User sees:

Expenses

User sees:

Banking

User sees:

VAT Report

User sees:

Settings

User sees:

Notes

Frontend

State Management

Bilko State Management

Current State: Primarily React hooks (useState, useEffect) Installed but Minimal Use: Zustand 4.5.0 Future State: Migrate to Zustand for global state

Architecture Overview

flowchart LR
    subgraph CURRENT["Current Architecture (Phase 1)"]
        MD["lib/mock-data.ts\n(static imports)"] -->|imported directly| PG["Page Component\n(useState + useMemo)"]
        PG -->|renders| UI["UI Components"]
        PG -->|local state only| PG
    end

    subgraph FUTURE["Future Architecture (Phase 2)"]
        API["Backend API\n(Express + PostgreSQL)"] -->|fetch| ST["Zustand Stores\nauth / org / invoices\nexpenses / banking / ui"]
        ST -->|subscribe| PG2["Page Component\nuseInvoicesStore()"]
        PG2 -->|renders| UI2["UI Components"]
        PG2 -->|optimistic update| ST
    end

    style CURRENT fill:#1a1a2e,stroke:#4a4a6e,color:#aaa
    style FUTURE fill:#1a2e1a,stroke:#4a6e4a,color:#aaa

Current State Patterns

Local Component State (React useState)

Usage: Most components use local state for UI interactions and form data.

Examples:

Dashboard Page:

// No local state — purely presentational, uses mock data imports

Invoice List Page:

const [statusFilter, setStatusFilter] = useState<string>("all")
const [searchQuery, setSearchQuery] = useState<string>("")
const [dateRange, setDateRange] = useState<string>("this-month")
const [sortColumn, setSortColumn] = useState<string>("date")
const [sortDirection, setSortDirection] = useState<"asc" | "desc">("desc")

Invoice Wizard:

const [step, setStep] = useState(1)
const [customer, setCustomer] = useState<Contact | null>(null)
const [showAddCustomer, setShowAddCustomer] = useState(false)
const [invoiceDetails, setInvoiceDetails] = useState<InvoiceDetails>({...})
const [lineItems, setLineItems] = useState<LineItem[]>([...])
const [notes, setNotes] = useState("Thank you for your business!")
const [terms, setTerms] = useState("Payment due within 30 days.")
const [emailData, setEmailData] = useState({...})

Expenses Page:

const [isDialogOpen, setIsDialogOpen] = useState(false)
const [periodFilter, setPeriodFilter] = useState("This Month")
const [categoryFilter, setCategoryFilter] = useState("All Categories")
const [searchQuery, setSearchQuery] = useState("")
const [formData, setFormData] = useState({...})

Banking Page:

const [selectedAccount, setSelectedAccount] = useState(mockBankAccounts[0].id)

Reports Page:

const [plExpanded, setPlExpanded] = useState({
  revenue: true,
  expenses: true
})

VAT Report:

const [currentStep, setCurrentStep] = useState<'reconciliation' | 'audit' | 'summary'>('reconciliation')

Settings Page:

const [activeSection, setActiveSection] = useState('company')
const [companyData, setCompanyData] = useState({...})
const [vatSettings, setVatSettings] = useState({...})

Dashboard Layout:

const [sidebarOpen, setSidebarOpen] = useState(false)

Sidebar:

const [expandedSections, setExpandedSections] = useState<string[]>([
  "Sales",
  "Purchases",
  "Reports"
])

Local State Distribution by Page

flowchart TD
    subgraph IL["Invoice List /invoices"]
        IL1["statusFilter\nsearchQuery\ndateRange\nsortColumn\nsortDirection"]
    end

    subgraph IW["Invoice Wizard /invoices/new"]
        IW1["step (1-6)\ncustomer\nshowAddCustomer\ninvoiceDetails\nlineItems\nnotes / terms\nemailData"]
    end

    subgraph EP["Expenses /expenses"]
        EP1["isDialogOpen\nperiodFilter\ncategoryFilter\nsearchQuery\nformData"]
    end

    subgraph BP["Banking /banking"]
        BP1["selectedAccount"]
    end

    subgraph RP["Reports /reports"]
        RP1["plExpanded\n{revenue, expenses}"]
    end

    subgraph VP["VAT /reports/vat"]
        VP1["currentStep\n'reconciliation' | 'audit' | 'summary'"]
    end

    subgraph SP["Settings /settings"]
        SP1["activeSection\ncompanyData\nvatSettings"]
    end

    subgraph LY["Dashboard Layout"]
        LY1["sidebarOpen (mobile)"]
    end

    subgraph SB["Sidebar component"]
        SB1["expandedSections: string[]"]
    end

Computed State (React useMemo)

Purpose: Derived values from props/state to avoid expensive recalculations.

Invoice List:

// Filtered/sorted invoice list
const filteredInvoices = useMemo(() => {
  let filtered = [...mockInvoices]

  // Apply filters
  if (statusFilter !== "all") {
    filtered = filtered.filter((inv) => inv.status === statusFilter)
  }

  if (searchQuery) {
    const query = searchQuery.toLowerCase()
    filtered = filtered.filter(
      (inv) =>
        inv.customerName.toLowerCase().includes(query) ||
        inv.number.toLowerCase().includes(query)
    )
  }

  // Date range filter logic...

  // Sort logic...

  return filtered
}, [statusFilter, searchQuery, dateRange, sortColumn, sortDirection])

// Summary calculations
const summary = useMemo(() => {
  const total = filteredInvoices.length
  const byStatus = filteredInvoices.reduce((acc, inv) => {
    // Aggregate by status...
    return acc
  }, {})

  return { total, byStatus }
}, [filteredInvoices])

Invoice Wizard:

// Customer list
const customers = useMemo(
  () => mockContacts.filter((c) => c.type === "customer"),
  []
)

// Calculate totals
const totals = useMemo(() => {
  const subtotal = lineItems.reduce(
    (sum, item) => sum + item.quantity * item.unitPrice,
    0
  )
  const vatTotal = lineItems.reduce(
    (sum, item) =>
      sum + item.quantity * item.unitPrice * (item.vatRate / 100),
    0
  )
  const total = subtotal + vatTotal
  return { subtotal, vatTotal, total }
}, [lineItems])

Expenses Page:

// Filtered expenses
const filteredExpenses = useMemo(() => {
  return mockExpenses.filter(expense => {
    const matchesCategory = categoryFilter === "All Categories" || expense.category === categoryFilter
    const matchesSearch = searchQuery === "" ||
      expense.description.toLowerCase().includes(searchQuery.toLowerCase()) ||
      expense.vendor.toLowerCase().includes(searchQuery.toLowerCase())
    return matchesCategory && matchesSearch
  })
}, [categoryFilter, searchQuery])

// Stats
const stats = useMemo(() => {
  const total = filteredExpenses.reduce((sum, exp) => {
    // Convert to EUR and sum...
  }, 0)
  const pending = filteredExpenses.filter(e => e.status === 'pending').length
  const approved = filteredExpenses.filter(e => e.status === 'approved').length
  const paid = filteredExpenses.filter(e => e.status === 'paid').length

  return { total, pending, approved, paid }
}, [filteredExpenses])

Banking Page:

// Total balance in EUR
const totalBalanceEUR = useMemo(() => {
  return mockBankAccounts.reduce((sum, acc) => {
    const eurAmount = acc.currency === 'EUR' ? acc.balance :
                      acc.currency === 'RSD' ? acc.balance / 117 :
                      acc.balance / 2 // BAM to EUR
    return sum + eurAmount
  }, 0)
}, [])

// Unreconciled transactions
const unreconciledTransactions = useMemo(() => {
  return mockBankTransactions.filter(tx => !tx.reconciled && tx.bankAccountId === selectedAccount)
}, [selectedAccount])

Navigation State (Next.js usePathname)

Sidebar:

const pathname = usePathname()

const isActive = (href: string | undefined) => {
  if (!href) return false
  return pathname === href
}

Usage: Highlights active navigation item based on current route.

Router State (Next.js useRouter)

Invoice Wizard:

const router = useRouter()

const handleNext = () => {
  if (step === 6) {
    alert("Invoice sent!")
    router.push("/invoices")
  } else {
    setStep(step + 1)
  }
}

const handleCancel = () => {
  if (confirm("Are you sure you want to cancel? All changes will be lost.")) {
    router.push("/invoices")
  }
}

Usage: Programmatic navigation after form submission or cancel.

Data Flow (Current)

flowchart LR
    MD["lib/mock-data.ts\nmockInvoices\nmockExpenses\nmockBankAccounts\nmockContacts\nmockBankTransactions"]

    MD -->|"import { mockInvoices }"| IL["Invoice List\nfilter → sort → display"]
    MD -->|"import { mockExpenses }"| EP["Expenses Page\nfilter → stats → display"]
    MD -->|"import { mockBankAccounts }"| BP["Banking Page\ncurrency conversion → display"]
    MD -->|"import { mockContacts }"| IW["Invoice Wizard\nfilter customers → wizard"]
    MD -->|"import metrics"| DP["Dashboard\nmetrics → charts"]

    IL -->|"useMemo(filteredInvoices)"| IT["Invoice Table"]
    IL -->|"useMemo(summary)"| IS["Summary Bar"]

    EP -->|"useMemo(filteredExpenses)"| ET["Expense Table"]
    EP -->|"useMemo(stats)"| ES["Summary Stats"]

    BP -->|"useMemo(totalBalanceEUR)"| BA["Balance Display"]
    BP -->|"useMemo(unreconciledTx)"| REC["Reconcile Tab"]

Mock Data Import Pattern

All pages import mock data directly:

import { mockInvoices, mockExpenses, mockBankAccounts } from "@/lib/mock-data"

Issues:

Data Transformation

Components transform mock data for display:

// Dashboard: Calculate metrics from raw data
const dashboardMetrics = {
  cashBalance: 2478170,
  revenueMTD: 485700,
  unpaidInvoices: 218200,
  // ...
}

// Invoice list: Filter/sort/search
const filteredInvoices = mockInvoices.filter(...)

// Banking: Currency conversion
const totalBalanceEUR = mockBankAccounts.reduce((sum, acc) => {
  const eurAmount = convertToEUR(acc.balance, acc.currency)
  return sum + eurAmount
}, 0)

Zustand (Installed but Not Used)

Package: zustand: ^4.5.0 (installed in package.json)

Current Usage: None

Planned Usage: Global state stores for:

Future State Architecture (Phase 2)

Planned Zustand Store Structure

classDiagram
    class AuthStore {
        +user: User | null
        +isAuthenticated: boolean
        +isLoading: boolean
        +token: string | null
        +error: string | null
        +login(email, password) Promise~void~
        +logout() void
        +refreshToken() Promise~void~
        +checkAuth() Promise~boolean~
    }

    class OrgStore {
        +organization: Organization | null
        +settings: OrgSettings
        +updateSettings(settings) Promise~void~
    }

    class InvoicesStore {
        +invoices: Invoice[]
        +isLoading: boolean
        +error: string | null
        +fetchInvoices(filters) Promise~void~
        +createInvoice(data) Promise~Invoice~
        +updateInvoice(id, data) Promise~void~
        +deleteInvoice(id) Promise~void~
        +sendInvoice(id, emailData) Promise~void~
    }

    class ExpensesStore {
        +expenses: Expense[]
        +isLoading: boolean
        +fetchExpenses(filters) Promise~void~
        +createExpense(data) Promise~Expense~
        +updateExpense(id, data) Promise~void~
        +deleteExpense(id) Promise~void~
    }

    class BankingStore {
        +accounts: BankAccount[]
        +transactions: BankTransaction[]
        +isLoading: boolean
        +fetchAccounts() Promise~void~
        +fetchTransactions(accountId) Promise~void~
        +importTransactions(accountId, file) Promise~void~
        +reconcileTransaction(txId) Promise~void~
        +linkTransaction(txId, type, id) Promise~void~
    }

    class UIStore {
        +sidebarOpen: boolean
        +sidebarExpandedSections: string[]
        +theme: string
        +toggleSidebar() void
        +toggleSection(section) void
        +setTheme(theme) void
    }

    AuthStore --> OrgStore : loads org on login
    AuthStore --> InvoicesStore : scoped by orgId
    AuthStore --> ExpensesStore : scoped by orgId
    AuthStore --> BankingStore : scoped by orgId

Planned Zustand Stores

Auth Store

// Planned: stores/auth.ts
interface AuthState {
  user: User | null
  isAuthenticated: boolean
  token: string | null
  login: (email: string, password: string) => Promise<void>
  logout: () => void
  refreshToken: () => Promise<void>
}

Organization Store

// Planned: stores/organization.ts
interface OrgState {
  organization: Organization | null
  settings: OrgSettings
  updateSettings: (settings: Partial<OrgSettings>) => Promise<void>
}

Invoices Store

// Planned: stores/invoices.ts
interface InvoicesState {
  invoices: Invoice[]
  isLoading: boolean
  error: string | null
  fetchInvoices: (filters: InvoiceFilters) => Promise<void>
  createInvoice: (data: InvoiceCreateData) => Promise<Invoice>
  updateInvoice: (id: string, data: Partial<Invoice>) => Promise<void>
  deleteInvoice: (id: string) => Promise<void>
  sendInvoice: (id: string, emailData: EmailData) => Promise<void>
}

Expenses Store

// Planned: stores/expenses.ts
interface ExpensesState {
  expenses: Expense[]
  isLoading: boolean
  fetchExpenses: (filters: ExpenseFilters) => Promise<void>
  createExpense: (data: ExpenseCreateData) => Promise<Expense>
  updateExpense: (id: string, data: Partial<Expense>) => Promise<void>
  deleteExpense: (id: string) => Promise<void>
}

Banking Store

// Planned: stores/banking.ts
interface BankingState {
  accounts: BankAccount[]
  transactions: BankTransaction[]
  isLoading: boolean
  fetchAccounts: () => Promise<void>
  fetchTransactions: (accountId: string) => Promise<void>
  importTransactions: (accountId: string, file: File) => Promise<void>
  reconcileTransaction: (txId: string) => Promise<void>
  linkTransaction: (txId: string, linkType: string, linkId: string) => Promise<void>
}

UI Store

// Planned: stores/ui.ts
interface UIState {
  sidebarOpen: boolean
  sidebarExpandedSections: string[]
  theme: 'light' | 'dark'
  toggleSidebar: () => void
  toggleSection: (section: string) => void
  setTheme: (theme: 'light' | 'dark') => void
}

Migration Strategy

  1. Phase 2a: Create stores with API integration
  2. Phase 2b: Replace useState with store hooks in components
  3. Phase 2c: Add optimistic updates and caching
  4. Phase 2d: Implement persistence (localStorage for UI prefs)

Example Migration:

Before (current):

// Invoice list page
const [invoices, setInvoices] = useState<Invoice[]>(mockInvoices)

After (Phase 2):

// Invoice list page
import { useInvoicesStore } from '@/stores/invoices'

const { invoices, fetchInvoices, isLoading } = useInvoicesStore()

useEffect(() => {
  fetchInvoices({ status: statusFilter, dateRange })
}, [statusFilter, dateRange])

API Integration Pattern (Future)

API Client (lib/api.ts)

// Planned: lib/api.ts
const API_BASE = process.env.NEXT_PUBLIC_API_URL

export const api = {
  get: async (endpoint: string) => {
    const res = await fetch(`${API_BASE}${endpoint}`, {
      headers: { Authorization: `Bearer ${getToken()}` }
    })
    if (!res.ok) throw new Error(await res.text())
    return res.json()
  },

  post: async (endpoint: string, data: any) => {
    const res = await fetch(`${API_BASE}${endpoint}`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        Authorization: `Bearer ${getToken()}`
      },
      body: JSON.stringify(data)
    })
    if (!res.ok) throw new Error(await res.text())
    return res.json()
  },

  // PATCH, DELETE...
}

Store Integration

// Planned: stores/invoices.ts
export const useInvoicesStore = create<InvoicesState>((set, get) => ({
  invoices: [],
  isLoading: false,
  error: null,

  fetchInvoices: async (filters) => {
    set({ isLoading: true, error: null })
    try {
      const data = await api.get(`/invoices?${buildQueryString(filters)}`)
      set({ invoices: data, isLoading: false })
    } catch (error) {
      set({ error: error.message, isLoading: false })
    }
  },

  createInvoice: async (data) => {
    const invoice = await api.post('/invoices', data)
    set({ invoices: [...get().invoices, invoice] })
    return invoice
  },

  // Other CRUD methods...
}))

Future Data Flow

flowchart LR
    subgraph BROWSER["Browser"]
        subgraph STORES["Zustand Stores"]
            AS["AuthStore\ntoken, user"]
            IS["InvoicesStore\ninvoices, isLoading"]
            ES["ExpensesStore\nexpenses, isLoading"]
            BS["BankingStore\naccounts, transactions"]
            US["UIStore\nsidebarOpen, theme"]
        end

        subgraph PAGES["Pages"]
            IP["Invoice List"]
            IWP["Invoice Wizard"]
            EP["Expenses"]
            BP["Banking"]
        end

        subgraph PERSIST["Persistence"]
            LS["localStorage\nUI prefs (UIStore)"]
            CK["httpOnly Cookie\nJWT token"]
        end
    end

    BE["Backend API\n(Express + PostgreSQL)"]

    AS -->|"Authorization: Bearer"| BE
    BE -->|"invoices[]"| IS
    BE -->|"expenses[]"| ES
    BE -->|"accounts[], txs[]"| BS

    IS --> IP
    IS --> IWP
    ES --> EP
    BS --> BP

    US <-->|persist| LS
    AS <-->|token| CK

Loading States (Future)

Current: No loading states (instant mock data)

Future: Loading skeletons and states

// Component usage (future)
const { invoices, isLoading } = useInvoicesStore()

if (isLoading) {
  return <InvoiceListSkeleton />
}

Error Handling (Future)

Current: No error handling (mock data never fails)

Future: Error boundaries and toast notifications

// Store error state (future)
const { error } = useInvoicesStore()

if (error) {
  toast.error(`Failed to load invoices: ${error}`)
}

Optimistic Updates (Future)

Concept: Update UI immediately, rollback on API failure

// Example: Delete invoice (future)
deleteInvoice: async (id) => {
  // Optimistic update
  const prevInvoices = get().invoices
  set({ invoices: prevInvoices.filter(inv => inv.id !== id) })

  try {
    await api.delete(`/invoices/${id}`)
  } catch (error) {
    // Rollback on failure
    set({ invoices: prevInvoices, error: error.message })
    toast.error('Failed to delete invoice')
  }
}

State Persistence (Future)

UI Preferences: localStorage Auth Token: httpOnly cookie (secure) Data Cache: sessionStorage (optional, for performance)

// Example: Persist sidebar state (future)
export const useUIStore = create(
  persist<UIState>(
    (set) => ({
      sidebarOpen: false,
      toggleSidebar: () => set((state) => ({ sidebarOpen: !state.sidebarOpen }))
    }),
    { name: 'bilko-ui-preferences' }
  )
)

Summary

Current State:

Future State (Phase 2):

Frontend

Frontend — Status & Architecture

Bilko Web — Next.js Frontend

BookStack — Provjeri PRVO

Prije traženja bilo čega — provjeri BookStack (http://localhost:6875). Centralna baza znanja za tools, skills, hooks, agents, rules, projekte, klijente, dokumentaciju. Ako odgovor postoji tamo — NE TRAŽI dalje.

Tech Stack

Pages (App Router)

All pages under app/(dashboard)/:

Components

UI (shadcn/ui): 17 components in components/ui/

Layout:

Design System

Embedded in tailwind.config.ts: 73 tokens

Mock Data

CRITICAL: All data from lib/mock-data.ts

State Management

Development Rules

  1. No production mock data — Always flag mock data usage
  2. Design system tokens — Use tokens from tailwind.config.ts, NEVER hardcode colors
  3. Responsive — Mobile-first, test at all breakpoints
  4. Accessibility — Use shadcn/ui primitives (Radix UI), semantic HTML
  5. TypeScript strict — No any types without explicit justification

API Integration (Future)

When backend ready:

Frontend

Component Inventory

Bilko Component Inventory

Last Updated: 2026-02-20 Source of Truth: Filesystem scan of apps/web/components/

Component Hierarchy Overview

graph TD
    APP["app/layout.tsx\nRoot Layout"]

    APP --> LAND["Landing Page\napp/page.tsx"]
    APP --> AUTH_GRP["Auth Group\napp/(auth)"]
    APP --> DASH_GRP["Dashboard Group\napp/(dashboard)/layout.tsx"]

    LAND --> LN["Landing Components\ncomponents/landing/"]
    LN --> NAVBAR["Navbar"]
    LN --> HERO["Hero"]
    LN --> FEATURES["Features"]
    LN --> PRICING["Pricing"]
    LN --> TESTIMONIALS["Testimonials"]
    LN --> FOOTER["Footer"]

    AUTH_GRP --> LOGIN_PG["LoginPage\ncomponents/ui/input\ncomponents/ui/button"]
    AUTH_GRP --> REG_PG["RegisterPage\ncomponents/ui/input\ncomponents/ui/button"]

    DASH_GRP --> SIDEBAR["Sidebar\ncomponents/sidebar.tsx"]
    DASH_GRP --> TOPBAR["TopBar\ncomponents/top-bar.tsx"]
    DASH_GRP --> PAGES["Dashboard Pages"]

    PAGES --> DP["Dashboard\n/dashboard"]
    PAGES --> IP["Invoices\n/invoices"]
    PAGES --> IWP["Invoice Wizard\n/invoices/new"]
    PAGES --> EP["Expenses\n/expenses"]
    PAGES --> BP["Banking\n/banking"]
    PAGES --> RP["Reports\n/reports"]
    PAGES --> PLP["Profit & Loss\n/reports/profit-loss"]
    PAGES --> VP["VAT Report\n/reports/vat"]
    PAGES --> SP["Settings\n/settings"]

    classDef layout fill:#1e2235,color:#89b4fa,stroke:#89b4fa
    classDef landing fill:#2a1e35,color:#cba6f7,stroke:#cba6f7
    classDef auth fill:#2a1e1e,color:#f38ba8,stroke:#f38ba8
    classDef page fill:#1e2e1e,color:#a6e3a1,stroke:#a6e3a1
    class APP,DASH_GRP layout
    class LAND,LN,NAVBAR,HERO,FEATURES,PRICING,TESTIMONIALS,FOOTER landing
    class AUTH_GRP,LOGIN_PG,REG_PG auth
    class SIDEBAR,TOPBAR,PAGES,DP,IP,IWP,EP,BP,RP,PLP,VP,SP page

Layout Components

Sidebar

TopBar

graph LR
    SB["Sidebar\ncomponents/sidebar.tsx"]

    SB --> LOGO["Logo Section\nImage svg + 'bilko' text"]
    SB --> MAINNAV["Main Navigation\nnav > ul > li"]
    SB --> BOTTOMNAV["Bottom Navigation\n(Settings)"]

    MAINNAV --> DASH_LI["Dashboard\nLayoutDashboard icon"]
    MAINNAV --> SALES_LI["Sales (→ /invoices)\nDollarSign icon + ChevronRight"]
    MAINNAV --> PURCH_LI["Purchases (→ /purchases)\nCreditCard icon + ChevronRight"]
    MAINNAV --> BANK_LI["Banking\nLandmark icon"]
    MAINNAV --> REP_LI["Reports\nBarChart3 icon"]

    BOTTOMNAV --> SET_LI["Settings\nSettings icon"]

    SB -->|"isActive(href)"| ACTIVE["Active State\nbg-primary/10 + text-primary"]
    SB -->|"inactive"| INACTIVE["Hover State\nhover:bg-sidebar-hover"]

UI Components (shadcn/ui)

All components in components/ui/ are from shadcn/ui library (Radix UI primitives + Tailwind).

graph TD
    SHADCN["shadcn/ui Components\ncomponents/ui/"]

    SHADCN --> FORM_GRP["Form Components"]
    SHADCN --> DISPLAY_GRP["Display Components"]
    SHADCN --> OVERLAY_GRP["Overlay Components"]
    SHADCN --> FEEDBACK_GRP["Feedback Components"]

    FORM_GRP --> INPUT["Input\ntext, email, number, date, search"]
    FORM_GRP --> SELECT["Select\nRadix Select primitive\nSelectTrigger + SelectContent + SelectItem"]
    FORM_GRP --> TEXTAREA["Textarea\nmulti-line input, 3-6 rows"]
    FORM_GRP --> LABEL["Label\nRadix Label, accessible"]

    DISPLAY_GRP --> CARD["Card\nCard + CardHeader + CardTitle\n+ CardDescription + CardContent + CardFooter"]
    DISPLAY_GRP --> TABLE["Table\nTable + TableHeader + TableBody\n+ TableRow + TableHead + TableCell"]
    DISPLAY_GRP --> BADGE["Badge\ndefault / secondary / success\n/ warning / destructive"]
    DISPLAY_GRP --> AVATAR["Avatar\nRadix Avatar (not yet used)"]
    DISPLAY_GRP --> SEPARATOR["Separator\nhorizontal/vertical"]
    DISPLAY_GRP --> SKELETON["Skeleton\npulse animation (not yet used)"]

    OVERLAY_GRP --> DIALOG["Dialog\nRadix Dialog\nDialogContent + DialogHeader\n+ DialogFooter"]
    OVERLAY_GRP --> DROPDOWN["DropdownMenu\nRadix DropdownMenu\nTrigger + Content + Item"]
    OVERLAY_GRP --> TABS["Tabs\nRadix Tabs\nTabsList + TabsTrigger + TabsContent"]
    OVERLAY_GRP --> SHEET["Sheet\nRadix Dialog styled\n(not yet used)"]

    FEEDBACK_GRP --> BUTTON["Button\ndefault / destructive / outline\n/ secondary / ghost / link\nsm / default / lg / icon sizes"]

Avatar

Badge

Button

Card

Dialog

Dropdown Menu

Input

Label

Select

Separator

Sheet

Skeleton

Table

Tabs

Textarea

Landing Components

graph TD
    LP["Landing Page\napp/page.tsx"]

    LP --> LNAV["Navbar\ncomponents/landing/navbar.tsx\nlogo + nav links + CTA button"]
    LP --> LHERO["Hero\ncomponents/landing/hero.tsx\nheadline + subtext + CTAs"]
    LP --> LFEAT["Features\ncomponents/landing/features.tsx\nfeature grid cards"]
    LP --> LPRICE["Pricing\ncomponents/landing/pricing.tsx\npricing tiers"]
    LP --> LTESTI["Testimonials\ncomponents/landing/testimonials.tsx\ncustomer quotes"]
    LP --> LFOOT["Footer\ncomponents/landing/footer.tsx\nlinks + copyright"]

Chatbot Components

graph TD
    CW["ChatWidget\ncomponents/chatbot/ChatWidget.tsx\nfloating chat button + panel"]

    CW --> CM["ChatMessage\ncomponents/chatbot/ChatMessage.tsx\nindividual message bubble"]
    CW --> CI["ChatInput\ncomponents/chatbot/ChatInput.tsx\ntext input + send button"]

Chart Components

Charts are built with Recharts 2.15.0 (not custom components). Key chart types used:

Chart Colors (from tailwind.config.ts):

Utility Components

cn (lib/utils.ts)

AuthProvider (lib/auth-provider.tsx)

Page-Specific Components

Currently none standalone. All components are reusable shadcn/ui components + layout components. No page-specific extracted components yet.

Potential future page-specific components:

Component Usage Map

Component Used In Count
Button All pages 50+
Card Dashboard, Reports, Banking, Settings, Expenses 20+
Table Invoices, Expenses, Banking, Reports, Dashboard, Settings 10+
Input Invoice wizard, Expenses, Settings, TopBar 30+
Select Invoices, Expenses, Banking, Settings, Invoice wizard 20+
Badge Invoices, Expenses, Banking, Reports, Settings 15+
Dialog Invoice wizard, Expenses 2
Dropdown Menu Invoices, TopBar 2
Tabs Banking, VAT Report 2
Textarea Invoice wizard 3
Sidebar All pages 1
TopBar All pages 1
Label All forms 40+
Skeleton AuthProvider, P&L Report 2+
Separator Minimal 1-2
Avatar None yet 0
Sheet None yet 0

Component Relationships by Page

graph LR
    subgraph INVOICE_LIST["Invoice List /invoices"]
        IL_CARD["Card\n(filter container)"]
        IL_SEL["Select\n(status filter)"]
        IL_INP["Input\n(search)"]
        IL_TBL["Table\n(invoice rows)"]
        IL_BADGE["Badge\n(status)"]
        IL_DD["DropdownMenu\n(row actions)"]
        IL_BTN["Button\n(New Invoice)"]
    end

    subgraph INVOICE_WIZ["Invoice Wizard /invoices/new"]
        IW_DLG["Dialog\n(Add Customer)"]
        IW_SEL["Select\n(customer, currency, VAT)"]
        IW_INP["Input\n(fields per step)"]
        IW_TA["Textarea\n(notes, terms, email)"]
        IW_BTN["Button\n(Back, Next, Send)"]
    end

    subgraph BANKING["Banking /banking"]
        BK_TABS["Tabs\n(Accounts, Reconcile, Txs)"]
        BK_TBL["Table\n(transactions)"]
        BK_BADGE["Badge\n(match confidence)"]
        BK_BTN["Button\n(approve, link, create)"]
    end

    subgraph REPORTS["Reports /reports/vat"]
        R_TABS["Tabs\n(3-step VAT wizard)"]
        R_TBL["Table\n(VAT transactions)"]
        R_CARD["Card\n(return boxes)"]
        R_BADGE["Badge\n(invoice/expense type)"]
    end

Notes

Frontend

Design System

Bilko Design System

Source: Extracted from apps/web/tailwind.config.ts + brand identity spec Design Language: Modern Balkan accounting SaaS — clean, professional, accessible

Token Architecture Overview

graph TD
    TC["tailwind.config.ts\n(73 design tokens)"]

    TC --> COLORS["Color Tokens"]
    TC --> TYPE["Typography Tokens"]
    TC --> SPACE["Spacing Tokens"]
    TC --> RADIUS["Border Radius Tokens"]
    TC --> SHADOW["Shadow Tokens"]
    TC --> BP["Breakpoint Tokens"]

    COLORS --> PRIMARY["Primary Brand\n#00E5A0 / #00B380 / #33EBB3"]
    COLORS --> STATUS["Status Colors\nsuccess / warning / error / info"]
    COLORS --> TEXT["Text Scale\nprimary / secondary / muted"]
    COLORS --> BG["Backgrounds\nlight #FAFAFA / surface #FFF"]
    COLORS --> SIDEBAR["Sidebar (Dark Theme)\nbg / text / text-muted / active / hover"]
    COLORS --> CHART["Chart Colors\nrevenue / expense / profit / neutral"]

    TYPE --> FONT["Inter (Google Fonts)\nxs 12px → 4xl 40px"]
    TYPE --> WEIGHT["Weights\n400 / 500 / 600 / 700"]

    SPACE --> GRID["8px Grid\nxs 4px → 3xl 64px"]

    RADIUS --> SIZES["6px / 8px / 12px / full"]

    SHADOW --> ELEV["card / modal / dropdown"]

    BP --> SCREEN["640px / 768px / 1024px / 1280px"]

Color Palette

Primary Brand Colors

Primary:        #00E5A0  (Vibrant teal-green — primary CTA, links, active states)
Primary Dark:   #00B380  (Darker variant for hover states)
Primary Light:  #33EBB3  (Lighter variant for backgrounds)

Status Colors

Success:        #22C55E  (Green — success states, paid invoices, positive metrics)
Warning:        #F59E0B  (Amber — warnings, pending items, aging invoices)
Error:          #EF4444  (Red — errors, overdue invoices, negative actions)
Info:           #3B82F6  (Blue — informational messages, neutral data)

Text Colors

Text Primary:   #111113  (Near-black — body text, headings)
Text Secondary: #6B7280  (Gray-600 — secondary text, labels)
Text Muted:     #888888  (Gray-500 — muted text, placeholders)

Background Colors

Background Light:   #FAFAFA  (Off-white — main content area background)
Background Surface: #FFFFFF  (White — card backgrounds, modals)

Border Color

Border:         #E5E7EB  (Gray-200 — borders, dividers)

Chart Colors

Chart Revenue:  #22C55E  (Green — revenue bars/lines)
Chart Expense:  #EF4444  (Red — expense bars/lines)
Chart Profit:   #3B82F6  (Blue — profit bars/lines)
Chart Neutral:  #6B7280  (Gray — neutral data points)

Sidebar Colors (Dark Theme)

Sidebar BG:         #111113  (Near-black — sidebar background)
Sidebar Text:       #FAFAFA  (Off-white — sidebar text)
Sidebar Text Muted: #888888  (Gray — inactive menu items)
Sidebar Active:     #00E5A0  (Primary green — active menu item)
Sidebar Hover:      #1F1F23  (Slightly lighter black — hover state)

Usage:

Color Relationship Map

graph LR
    subgraph BRAND["Brand Identity"]
        P["Primary\n#00E5A0"]
        PD["Primary Dark\n#00B380\n(hover)"]
        PL["Primary Light\n#33EBB3\n(bg tint)"]
        P --> PD
        P --> PL
    end

    subgraph LAYOUT["Layout Zones"]
        SBG["Sidebar BG\n#111113"]
        SBG --> STEXT["Sidebar Text\n#FAFAFA"]
        SBG --> SMUTED["Sidebar Muted\n#888888"]
        SBG --> SACTIVE["Active Item\n#00E5A0"]

        CBG["Content BG\n#FAFAFA"]
        CBG --> SURF["Card Surface\n#FFFFFF"]
        CBG --> BORDER["Border\n#E5E7EB"]
    end

    subgraph SEMANTIC["Semantic Status"]
        SUCCESS["Success\n#22C55E\n(paid, positive)"]
        WARN["Warning\n#F59E0B\n(pending, aging)"]
        ERR["Error\n#EF4444\n(overdue, delete)"]
        INFO["Info\n#3B82F6\n(neutral data)"]
    end

    subgraph TEXT_SCALE["Text Scale"]
        TP["Text Primary\n#111113"]
        TS["Text Secondary\n#6B7280"]
        TM["Text Muted\n#888888"]
    end

    P -->|"active states"| SACTIVE
    SUCCESS -->|"chart-revenue"| CR["Chart Revenue"]
    ERR -->|"chart-expense"| CE["Chart Expense"]
    INFO -->|"chart-profit"| CP["Chart Profit"]

Typography

Font Family

Sans Serif: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif

Source: Google Fonts Inter (variable font) Fallback: System UI fonts for performance

Font Sizes

xs:   12px  (Small badges, captions)
sm:   14px  (Table cells, secondary text, form labels)
base: 16px  (Body text, default)
lg:   18px  (Subheadings, emphasized text)
xl:   20px  (Section titles)
2xl:  24px  (Card titles, small headings)
3xl:  32px  (Page headings)
4xl:  40px  (Hero text, large numbers)

Font Weights

normal:    400  (Body text)
medium:    500  (Emphasis, table headers)
semibold:  600  (Subheadings, button text)
bold:      700  (Headings, metric numbers)

Type Scale Usage

Spacing System (8px Grid)

xs:  4px   (Tight spacing, icon gaps)
sm:  8px   (Input padding, small gaps)
md:  16px  (Default spacing, card padding)
lg:  24px  (Section spacing)
xl:  32px  (Large section spacing)
2xl: 48px  (Major section breaks)
3xl: 64px  (Hero spacing)

Usage:

Consistency: All spacing uses 8px increments (4px, 8px, 16px, 24px, 32px, 48px, 64px)

Border Radius

sm:   6px   (Small elements, badges)
md:   8px   (Buttons, inputs, cards)
lg:   12px  (Modals, large cards)
full: 9999px (Circular elements, pills)

Usage:

Shadows

Card Shadow:     0 2px 8px rgba(0, 0, 0, 0.08)   (Subtle card elevation)
Modal Shadow:    0 8px 24px rgba(0, 0, 0, 0.12)  (Dialog/modal elevation)
Dropdown Shadow: 0 4px 16px rgba(0, 0, 0, 0.10)  (Dropdown menu elevation)

Usage:

Philosophy: Subtle shadows for depth, avoid heavy shadows (material design style)

Design Token Relationships

classDiagram
    class ButtonTokens {
        +height_default: 40px
        +height_sm: 32px
        +height_lg: 48px
        +padding_x: 16px
        +border_radius: 8px (md)
        +font_size: 14px medium
        +variant_default: primary-bg white-text
        +variant_outline: border-only transparent
        +variant_ghost: no-border no-bg
        +variant_destructive: error-red white-text
    }

    class InputTokens {
        +height: 40px
        +padding_x: 12px
        +border: 1px solid #E5E7EB
        +border_radius: 8px (md)
        +font_size: 14px normal
        +focus_ring: 2px primary-color
    }

    class CardTokens {
        +background: #FFFFFF
        +border: 1px solid #E5E7EB
        +border_radius: 8px (md)
        +shadow: 0 2px 8px rgba-8pct
        +padding: 24px
    }

    class BadgeTokens {
        +padding: 4px 8px
        +border_radius: 6px (sm)
        +font_size: 12px medium
        +variant_success: green-bg
        +variant_warning: amber-bg
        +variant_destructive: red-bg
        +variant_secondary: light-gray-bg
    }

    class TableTokens {
        +row_height: 48px
        +cell_padding_x: 12px
        +cell_padding_y: 16px
        +border: 1px solid #E5E7EB
        +hover: light-gray #FAFAFA
        +header_weight: medium
        +header_color: text-secondary
    }

    class ColorTokens {
        +primary: #00E5A0
        +primary_dark: #00B380
        +success: #22C55E
        +warning: #F59E0B
        +error: #EF4444
        +info: #3B82F6
        +text_primary: #111113
        +text_secondary: #6B7280
        +border: #E5E7EB
        +surface: #FFFFFF
        +bg_light: #FAFAFA
    }

    ButtonTokens --> ColorTokens : uses primary, error
    InputTokens --> ColorTokens : uses border, primary (focus)
    CardTokens --> ColorTokens : uses surface, border
    BadgeTokens --> ColorTokens : uses success, warning, error
    TableTokens --> ColorTokens : uses border, bg-light (hover)

Breakpoints

sm:  640px   (Small tablets, large phones)
md:  768px   (Tablets)
lg:  1024px  (Small desktops, large tablets)
xl:  1280px  (Desktops)

Mobile-First Strategy:

Responsive Patterns:

Responsive Layout Behavior

graph TD
    subgraph MOBILE["Mobile (< 640px)"]
        M1["Sidebar: hidden\n(overlay when toggled)"]
        M2["TopBar: shows hamburger + logo"]
        M3["Grid: single column"]
        M4["Filters: stacked vertically"]
        M5["Tables: horizontal scroll"]
    end

    subgraph TABLET["Tablet (768px+)"]
        T1["Sidebar: visible, persistent"]
        T2["TopBar: shows search + user menu"]
        T3["Grid: 2 columns"]
        T4["Filters: row layout"]
        T5["Tables: full width"]
    end

    subgraph DESKTOP["Desktop (1024px+)"]
        D1["Sidebar: 256px fixed width"]
        D2["TopBar: full bar"]
        D3["Grid: 3 columns"]
        D4["Settings: sidebar + content split"]
        D5["Banking: full tab content"]
    end

Component Tokens

Button

Input

Card

Badge

Table

Icon System

Library: Lucide React (v0.469.0) Size: Consistent 16px (w-4 h-4) or 20px (w-5 h-5) Usage:

Common Icons:

Chart Design Tokens

Chart Colors (Recharts)

Revenue:  #22C55E  (Green bars)
Expense:  #EF4444  (Red bars)
Profit:   #3B82F6  (Blue bars)
Neutral:  #6B7280  (Gray — when no semantic meaning)

Chart Typography

Chart Layout

Accessibility

Color Contrast

Focus Indicators

Semantic HTML

Design Principles

  1. Clarity over Decoration — Data-first, minimal ornamentation
  2. Consistent Spacing — 8px grid, predictable rhythm
  3. Accessible by Default — WCAG AA minimum, Radix UI primitives
  4. Mobile-First — Responsive from 375px+ (iPhone SE)
  5. Dark Sidebar + Light Content — Clear visual separation
  6. Primary Color as Accent — Green (#00E5A0) for actions, not backgrounds
  7. Subtle Shadows — Elevation without heaviness
  8. Data-Dense UI — Tables, charts, metrics — optimized for information density

Brand Identity Alignment

From ~/system/specs/bilko-brand-identity.md:

Future Tokens (Phase 2)

When implementing API integration:

Frontend

Forms & Validation

Bilko Forms Documentation

Current State: Native HTML forms with React state Validation: Client-side JavaScript validation (no schema validation yet) Future State: Zod schemas for validation, react-hook-form for form management

Forms Overview

graph TD
    FORMS["Bilko Forms"]

    FORMS --> IW["Invoice Wizard\n6-step multi-page form\n/invoices/new"]
    FORMS --> EF["Expense Form\nDialog (modal)\n/expenses"]
    FORMS --> SF["Settings Forms\n6 sections\n/settings"]
    FORMS --> AUTH["Auth Forms\nLogin + Register\n/login /register"]

    IW --> IW1["Step 1: Customer"]
    IW --> IW2["Step 2: Details"]
    IW --> IW3["Step 3: Line Items"]
    IW --> IW4["Step 4: Customization"]
    IW --> IW5["Step 5: Preview"]
    IW --> IW6["Step 6: Send"]

    EF --> EF1["Amount + Currency"]
    EF --> EF2["Category + Date"]
    EF --> EF3["Vendor + Payment Method"]
    EF --> EF4["Receipt Upload (placeholder)"]
    EF --> EF5["Description (optional)"]

    SF --> SF1["Company Profile"]
    SF --> SF2["Tax & Compliance"]
    SF --> SF3["Notification Preferences"]
    SF --> SF4["Security Settings"]

    AUTH --> AUTH1["Login\nemail + password"]
    AUTH --> AUTH2["Register\nname, company, email, password, country"]

Invoice Creation Wizard (6-Step Multi-Page Form)

Route: /invoices/new File: app/(dashboard)/invoices/new/page.tsx

Wizard State Machine

stateDiagram-v2
    [*] --> Step1_Customer : navigate to /invoices/new

    Step1_Customer : Step 1 — Customer Selection
    Step1_Customer : Select existing customer (dropdown)
    Step1_Customer : OR open Add Customer dialog
    Step1_Customer : Validation: customer required

    Step2_Details : Step 2 — Invoice Details
    Step2_Details : invoiceNumber (auto-generated)
    Step2_Details : issueDate, dueDate
    Step2_Details : netTerms (Net 15/30/60 → auto-updates dueDate)
    Step2_Details : currency (EUR/RSD/BAM)

    Step3_LineItems : Step 3 — Line Items
    Step3_LineItems : description (required), qty, unitPrice
    Step3_LineItems : vatRate (0/10/17/20/25%)
    Step3_LineItems : total auto-calculated (read-only)
    Step3_LineItems : Validation: min 1 item with description

    Step4_Customize : Step 4 — Customization
    Step4_Customize : notes (optional textarea)
    Step4_Customize : terms (optional textarea)
    Step4_Customize : No validation required

    Step5_Preview : Step 5 — Preview
    Step5_Preview : Read-only invoice render
    Step5_Preview : All data from previous steps
    Step5_Preview : No validation

    Step6_Send : Step 6 — Send / Save
    Step6_Send : to (email, pre-filled from customer)
    Step6_Send : subject, message (pre-filled template)
    Step6_Send : sendCopy (checkbox)
    Step6_Send : Save as Draft / Download PDF / Send Invoice

    Step1_Customer --> Step2_Details : Next (customer selected)
    Step1_Customer --> Step1_Customer : Next (no customer) — alert shown

    Step2_Details --> Step3_LineItems : Next
    Step2_Details --> Step1_Customer : Back

    Step3_LineItems --> Step4_Customize : Next (has valid item)
    Step3_LineItems --> Step3_LineItems : Next (no items) — alert shown
    Step3_LineItems --> Step2_Details : Back

    Step4_Customize --> Step5_Preview : Next
    Step4_Customize --> Step3_LineItems : Back

    Step5_Preview --> Step6_Send : Next
    Step5_Preview --> Step4_Customize : Back

    Step6_Send --> [*] : Send Invoice → alert + redirect /invoices
    Step6_Send --> Step5_Preview : Back
    Step6_Send --> [*] : Cancel → confirm dialog → /invoices

Form Structure

Step 1: Customer Selection

Fields:

Add Customer Dialog:

Validation:

Step 2: Invoice Details

Fields:

Behavior:

Step 3: Line Items

Repeating Fields (Line Items):

Each line item contains:

Actions:

Totals Display (read-only):

Validation:

Step 4: Customization

Fields:

Behavior:

Step 5: Preview (Read-Only)

No form fields. Displays formatted invoice preview with all data from previous steps.

Preview Elements:

No validation. Step is purely visual review.

Step 6: Send/Save

Email Form:

Action Buttons:

Validation:

Line Item Data Flow

flowchart LR
    DESC["description\n(text input)"]
    QTY["quantity\n(number input)"]
    PRICE["unitPrice\n(number input)"]
    VAT["vatRate\n(Select: 0/10/17/20/25%)"]

    QTY --> CALC["useMemo(totals)\nsubtotal = qty * price\nvatTotal = subtotal * rate\ntotal = subtotal + vatTotal"]
    PRICE --> CALC
    VAT --> CALC

    CALC --> ROW_TOTAL["Row Total\n(read-only display)"]
    CALC --> SUBTOTAL["Subtotal\n(sum of all rows)"]
    CALC --> VAT_TOTAL["VAT Total\n(sum of all VAT)"]
    CALC --> GRAND_TOTAL["Grand Total\n(subtotal + vatTotal)"]

    DESC -->|"required"| VALID["Validation\nAt least 1 item\nwith description"]

Form State Management

Local State:

const [step, setStep] = useState(1)
const [customer, setCustomer] = useState<Contact | null>(null)
const [showAddCustomer, setShowAddCustomer] = useState(false)
const [invoiceDetails, setInvoiceDetails] = useState<InvoiceDetails>({
  number: "INV-2026-009",
  issueDate: "2026-02-20",
  dueDate: "2026-03-22",
  currency: "EUR"
})
const [lineItems, setLineItems] = useState<LineItem[]>([
  { description: "", quantity: 1, unitPrice: 0, vatRate: 20, total: 0 }
])
const [notes, setNotes] = useState("Thank you for your business!")
const [terms, setTerms] = useState("Payment due within 30 days.")
const [emailData, setEmailData] = useState({
  to: "",
  subject: "",
  message: "",
  sendCopy: false
})

No persistence: All state lost on page refresh or navigation away.

No Zod schemas: Validation is inline JavaScript (alert boxes).

Expense Form (Dialog)

Route: /expenses Component: Dialog triggered by "Add Expense" button

Expense Form Flow

flowchart TD
    BTN["'Add Expense' Button\nExpenses Page"]
    BTN --> DLG["Dialog Opens\nisDialogOpen=true"]

    DLG --> AMOUNT["Amount (number, required)"]
    DLG --> CURRENCY["Currency (Select: EUR/RSD/BAM)"]
    DLG --> CATEGORY["Category (Select, required)\nOffice/Travel/Meals/Utilities\nMarketing/Infrastructure\nSoftware/Professional Services"]
    DLG --> DATE["Date (date input, required)"]
    DLG --> VENDOR["Vendor (text, optional)"]
    DLG --> PAYMENT["Payment Method (Select, optional)\nCash/Card/Bank Transfer"]
    DLG --> RECEIPT["Receipt Upload\n(placeholder UI — no real upload)"]
    DLG --> DESC["Description (text, optional)"]

    AMOUNT --> SUBMIT["Save Expense button"]
    CATEGORY --> SUBMIT

    SUBMIT -->|"current"| CONSOLE["console.log(formData)\nDialog closes\nForm resets"]
    SUBMIT -->|"future"| API["POST /api/expenses\nRefetch expense list"]

    DLG --> CANCEL["Cancel button\nDialog closes\nForm resets"]

Form Fields

Form Actions

No API submission. Form data not persisted.

No Zod schemas. Validation is JavaScript logic in form submit handler.

Settings Forms

Route: /settings File: app/(dashboard)/settings/page.tsx

Settings Navigation Flow

stateDiagram-v2
    [*] --> Company : default section

    Company : Company Profile
    Company : name, legalForm, address, city\npostalCode, country, taxId\nbaseCurrency, fiscalYearStart

    Users : Users & Roles
    Users : User management table\n(name, email, role, status)\nInvite User button

    Tax : Tax & Compliance
    Tax : country (Serbia/BiH/Croatia)\nvatRegistered (checkbox)\nvatNumber (conditional)\nvatRate (conditional)\ncompliance reminder checkboxes

    Integrations : Integrations
    Integrations : Connected: Intesa Bank CSV, Email SMTP\nAvailable: Stripe, Fiken\nGoogle Sheets, Slack, DocuSeal

    Notifications : Notification Preferences
    Notifications : Email: paid, overdue, approved, synced\nIn-App: invoice updates, expense updates\nreconciliation matches

    Security : Security Settings
    Security : Enable 2FA button\nSession Timeout Select\nPassword Policy checkboxes\nAudit Log / Data Export / Delete Company

    Company --> Users : sidebar nav click
    Company --> Tax : sidebar nav click
    Company --> Integrations : sidebar nav click
    Company --> Notifications : sidebar nav click
    Company --> Security : sidebar nav click

    Users --> Company : sidebar nav click
    Tax --> Company : sidebar nav click
    Integrations --> Company : sidebar nav click
    Notifications --> Company : sidebar nav click
    Security --> Company : sidebar nav click

Company Profile Form

Fields:

Action:

Validation: None (no required fields enforced)

Tax & Compliance Form

Fields:

Compliance Reminders:

Action:

Validation: None

Notification Preferences

Email Notifications:

In-App Notifications:

Action:

Validation: None

Security Settings

Two-Factor Authentication:

Session Timeout:

Password Policy:

Actions:

Validation: None

Auth Forms

Login Form (/login)

flowchart TD
    LP["LoginPage\n/login"]
    LP --> EMAIL["Email input\ntype=email, required"]
    LP --> PASS["Password input\ntype=password, show/hide toggle"]
    LP --> SUBMIT["Submit Button\n'Prijavite se'"]

    SUBMIT --> STORE["useAuthStore.login(email, password)"]
    STORE -->|"success"| DASH["router.push('/dashboard')"]
    STORE -->|"error"| ERR["Error banner\n(red bg, border, message from store)"]

    LP --> FORGOT["Forgot password link\n(no functionality yet)"]
    LP --> REG["Link to /register"]

Register Form (/register)

Fields:

Submit: Calls api.auth.register() → auto-login via useAuthStore.login() → redirect to /dashboard

Validation Architecture

flowchart LR
    subgraph CURRENT["Current (Phase 1)"]
        INLINE["Inline JS Validation\nalert() on submit\nno schema, no real-time feedback"]
        INLINE --> INVOICE_V["Invoice Wizard\n• Step 1: if(!customer) alert()\n• Step 3: if(!descriptions) alert()"]
        INLINE --> EXPENSE_V["Expense Form\n• if(!amount || !category) return"]
        INLINE --> AUTH_V["Auth Forms\n• HTML required attribute\n• type=email browser validation"]
    end

    subgraph FUTURE["Future (Phase 2)"]
        ZOD["Zod Schemas\ncentralized, type-safe, reusable"]
        RHF["react-hook-form\nuseForm + zodResolver"]
        ZOD --> RHF
        RHF --> RT["Real-time Validation\nfield-level, on-change or on-blur"]
        RHF --> EM["Error Messages\ninline under each field"]
        RHF --> ES["Error State Styling\nred border + error text"]
    end

Future Form Enhancements (Phase 2)

Zod Schema Validation

Planned: Replace inline validation with Zod schemas

Example (Invoice Wizard Step 1):

import { z } from 'zod'

const customerSchema = z.object({
  id: z.string(),
  name: z.string().min(1, "Customer name required"),
  email: z.string().email("Valid email required"),
  phone: z.string().optional(),
  taxId: z.string().optional()
})

Benefits:

react-hook-form Integration

Planned: Replace useState with react-hook-form

Example (Expense Form):

import { useForm } from 'react-hook-form'
import { zodResolver } from '@hookform/resolvers/zod'

const expenseSchema = z.object({
  amount: z.number().positive("Amount must be positive"),
  currency: z.enum(['EUR', 'RSD', 'BAM']),
  category: z.string().min(1, "Category required"),
  date: z.string(),
  vendor: z.string().optional(),
  paymentMethod: z.string().optional(),
  description: z.string().optional()
})

const { register, handleSubmit, formState: { errors } } = useForm({
  resolver: zodResolver(expenseSchema)
})

Benefits:

Field-Level Validation

Planned: Real-time validation as user types

Example (Email Field):

<Input
  {...register("email")}
  type="email"
  error={errors.email?.message}
/>
{errors.email && (
  <span className="text-error text-sm">{errors.email.message}</span>
)}

Current State: No real-time validation, only on form submit.

Form Persistence

Planned: Save draft forms to localStorage

Use Cases:

Implementation:

// Save to localStorage on every state change
useEffect(() => {
  localStorage.setItem('invoice-draft', JSON.stringify(invoiceState))
}, [invoiceState])

// Load from localStorage on mount
useEffect(() => {
  const draft = localStorage.getItem('invoice-draft')
  if (draft) setInvoiceState(JSON.parse(draft))
}, [])

File Upload (Receipt Attachment)

Current State: Placeholder UI only (dashed border div)

Future Implementation:

API Endpoint (planned):

POST /api/expenses/:id/receipt
Content-Type: multipart/form-data

Autocomplete/Search Fields

Current State: Plain text inputs

Future Enhancement (Vendor Field):

Library: Radix UI Combobox or react-select

Multi-Currency Conversion

Current State: User manually selects currency

Future Enhancement:

Summary

Current Forms:

  1. Invoice Wizard (6-step) — Customer, Details, Line Items, Customization, Preview, Send
  2. Expense Form (dialog) — Amount, Category, Date, Vendor, Receipt, etc.
  3. Company Profile — All company settings
  4. Tax & Compliance — VAT settings
  5. Notification Preferences — Email/in-app notification toggles
  6. Security Settings — 2FA, session timeout, password policy
  7. Login Form — Email + password, auth via Zustand store
  8. Register Form — Name, company, email, password, country

Validation:

State Management:

Future (Phase 2):

Design & Brand

Figma designs, logo, tokens, validation

Design & Brand

Figma Validation Report (2026-02-21)

Figma vs Build Validation — 2026-02-21

Critical Fix: Sidebar Dark → White

ElementBefore (BUG)After (FIXED)Figma
Sidebar background#111113 (black)#FFFFFF (white)#FFFFFF
Sidebar text#FAFAFA (white)#111113 (dark)#111113
Sidebar hover#1F1F23 (dark)#F5F5F5 (light)light
Active nav stateSolid #00E5A0 + white textLight mint #E6FFF8 + green textLight mint + green
Hamburger menuHidden on desktopVisible alwaysVisible
Notification bellPresentRemovedNot in design
LogoCSS box with 'B' textSharp B SVG from FigmaSharp B geometric

Root Cause

globals.css @theme block had inverted sidebar colors (dark mode values). Tailwind CSS v4 prioritizes @theme over tailwind.config.ts, so the correct tokens in config were overridden by wrong values in CSS.

Files Changed

Pages Validated

PageRouteSidebarContent Match
Dashboard/dashboard✓ White✓ Structure matches
Sales/Invoices/invoices✓ White✓ Build AHEAD (filters, actions)
VAT Return/reports/vat✓ White✓ Matches (minor: decimals)
Reports Hub/reports✓ White✓ Build AHEAD (P&L detail)
Add Expense/expenses/new✓ White✓ Matches
Purchases/purchases✓ White✓ Build AHEAD (full table)
Banking/banking✓ White✓ Build AHEAD (accounts)
Settings/settings✓ White✓ Build AHEAD (full form)

Remaining Minor Differences

Build Status

✓ 0 errors, 12/12 pages compiled, Next.js 15.5.12

Documentation Index

Bilko Documentation Index

Last updated: 2026-02-20 Project ID: bbd77cc0 Status: Backend SPECIFICATION (not implemented) Pipeline Status: 7/8 gates PASS — See Validation Report

Key Documents

Purpose

This documentation defines the implementation contract for Bilko's backend. The database schema exists and the frontend is built with mock data. These docs specify what the backend MUST implement to complete the system.

Backend Documentation

Document Description Status
API Reference All API endpoints — method, path, request/response, auth SPECIFICATION
Database Schema All 15 models — columns, types, constraints, indexes IMPLEMENTED (Prisma)
Authentication JWT auth flow, password hashing, 2FA, RBAC SPECIFICATION
Business Logic Double-entry bookkeeping, VAT calculation, multi-currency, reconciliation SPECIFICATION
Middleware Express middleware stack — security, auth, validation, error handling SPECIFICATION
Services External service integrations — SendGrid, Cloudflare R2, exchange rates, PDF generation SPECIFICATION

Frontend Documentation

Document Description Status
Pages All 10 implemented pages — routes, data requirements, mobile responsive IMPLEMENTED
Component Inventory All 17 shadcn/ui components — usage, props, examples IMPLEMENTED
Design System Colors, typography, spacing, shadows — 73 design tokens IMPLEMENTED
State Management Zustand setup, stores, patterns SPECIFICATION
Forms Form validation, error handling, submission patterns SPECIFICATION
Web App CLAUDE.md (local file only) Next.js 15 frontend overview REFERENCE

Infrastructure Documentation

Document Description Status
Deployment Deployment strategy — Vercel (frontend), Railway (backend+DB), environments SPECIFICATION
CI/CD GitHub Actions pipeline — lint, test, build, deploy SPECIFICATION
Environment Environment variables, secrets management, config SPECIFICATION

Security Documentation

Document Description Status
Security Architecture JWT auth, RBAC, encryption, rate limiting, OWASP Top 10 SPECIFICATION
Compliance GDPR compliance, data retention, user rights, privacy policy SPECIFICATION

Testing Documentation

Document Description Status
Testing Guide Testing philosophy, pyramid, tech stack (Vitest, Supertest, Playwright) SPECIFICATION
Test Inventory Critical test scenarios, coverage requirements, quality gates SPECIFICATION

Regulatory Documentation

Document Description Status
Serbia SEF SEF e-invoicing (UBL 2.1), 20% PDV, Kontni Okvir Chart of Accounts, e-Transport RESEARCH COMPLETE
BiH PDV 17% PDV, UNO/ITA filing, e-invoicing draft law, FBiH (IFRS) + RS Chart of Accounts RESEARCH COMPLETE
Croatia eRačun eRačun B2G (2019) + B2B (2026), 25% VAT, RRiF Chart of Accounts, Fiscalization 2.0 RESEARCH COMPLETE
Chart of Accounts Serbia (Class 0-9), BiH (IFRS/RS), Croatia (RRiF) — account structures RESEARCH COMPLETE

How to Use This Documentation

For Backend Developers

  1. Start with API Reference — this is your implementation contract
  2. Read Database Schema — understand the data model
  3. Review Business Logic — learn accounting domain rules
  4. Implement endpoints following Middleware and Authentication

For Frontend Developers

For QA Engineers

Key Architectural Decisions

1. Double-Entry Bookkeeping

Every financial event creates a Transaction with debitAccount + creditAccount. Debits = Credits always.

2. Multi-Currency with Rate Locking

Exchange rate is locked at transaction date. Historical transactions NEVER recalculated with current rates.

3. Immutable Audit Trail

LoggedAction table is APPEND-ONLY. All INSERT/UPDATE/DELETE operations captured.

4. Organization-Scoped Multi-Tenancy

Every API request filtered by organizationId. No cross-org data access.

5. NUMERIC(19,4) for ALL Money

NEVER use float or JavaScript number for currency. Precision is critical.

Contributing

When adding new documentation:

  1. Add entry to this INDEX.md
  2. Follow existing document structure (Purpose → Spec → Examples)
  3. Mark implementation status (SPECIFICATION, IN PROGRESS, IMPLEMENTED)
  4. Update "Last updated" date in this file

Architecture

Architecture

High-Level Design (HLD)

Bilko — High-Level Design (HLD)

Version: 1.0 Date: 2026-02-23 Project ID: bbd77cc0 Status: Current — reflects actual codebase as of 2026-02-23

Table of Contents

  1. System Overview
  2. Monorepo Structure
  3. Component Architecture
  4. Data Flow
  5. Tech Stack Rationale
  6. Multi-Tenancy Model
  7. Authentication Architecture
  8. Multi-Currency Architecture
  9. Country Plugin System
  10. Infrastructure Overview
  11. Security Model

1. System Overview

Bilko is a cloud-based accounting SaaS for Balkan SMBs operating in Serbia, Bosnia & Herzegovina, and Croatia. It is modeled after Fiken (Norway) — simple, compliant, and affordable.

Key design goals:

Target users: 50K–500K SMBs across the Balkan region Domains: bilko.io (primary), bilko.rs (Serbia redirect)

2. Monorepo Structure

The project uses Turborepo for monorepo management.

Bilko/
├── apps/
│   ├── web/                   # Next.js 15 frontend (App Router)
│   └── api/                   # Express + TypeScript backend
├── packages/
│   ├── database/              # Prisma schema + Prisma Client (@bilko/database)
│   ├── core/                  # Accounting engine (@bilko/core)
│   ├── country-rs/            # Serbia plugin (@bilko/country-rs)
│   ├── country-ba/            # Bosnia & Herzegovina plugin (@bilko/country-ba)
│   ├── country-hr/            # Croatia plugin (@bilko/country-hr)
│   └── ui/                    # Shared UI scaffold (empty, placeholder)
├── infrastructure/
│   ├── terraform/             # AWS infrastructure as code
│   ├── docker/                # Dockerfiles and docker-compose
│   ├── nginx/                 # Nginx reverse proxy config
│   ├── pm2/                   # PM2 process manager config
│   └── scripts/               # Deployment shell scripts
├── docs/                      # All documentation
│   ├── backend/               # API, auth, services, DB schema docs
│   ├── frontend/              # Pages, components, design system docs
│   ├── infrastructure/        # Deployment, CI/CD, environment docs
│   ├── regulatory/            # Country-specific accounting law summaries
│   ├── security/              # Security architecture, compliance
│   └── testing/               # Testing guides and inventory
├── CLAUDE.md                  # Project AI assistant instructions
└── PIPELINE.md                # 8-gate checklist

3. Component Architecture

graph TB
    subgraph Client["Client Layer"]
        Browser["Browser / Mobile"]
    end

    subgraph Frontend["apps/web — Next.js 15"]
        AppRouter["App Router"]
        Pages["Pages (Dashboard, Invoices, Expenses, Reports, Banking, Settings)"]
        Components["shadcn/ui Components"]
        MockData["lib/mock-data.ts (TEMP — replace with API calls)"]
        Zustand["Zustand Store (future)"]
    end

    subgraph Backend["apps/api — Express + TypeScript"]
        Middleware["Middleware Stack (helmet → cors → json → rate-limit → auth → validate → handler → error)"]
        Routes["Route Modules (auth, invoices, expenses, contacts, accounts, transactions, reports, banking, settings)"]
        Services["Service Layer (Invoice, Expense, Contact, Account, Banking, Report, Settings)"]
        CoreEngine["@bilko/core (accounting, tax, multi-currency, bank-import)"]
    end

    subgraph Plugins["Country Plugins"]
        RS["@bilko/country-rs (Serbia: PDV 20%, SEF, CIT 15%)"]
        BA["@bilko/country-ba (BiH: PDV 17%, IFRS, UIO)"]
        HR["@bilko/country-hr (Croatia: PDV 25%, eRačun, FINA)"]
    end

    subgraph Data["Data Layer"]
        Prisma["@bilko/database — Prisma Client"]
        PG["PostgreSQL 15 (RDS)"]
    end

    subgraph Storage["Storage"]
        R2["Cloudflare R2 (PDF storage, receipts)"]
    end

    Browser --> AppRouter
    AppRouter --> Pages
    Pages --> Components
    Pages --> MockData
    Pages --> Zustand

    Pages -->|"REST API calls (future)"| Routes
    Middleware --> Routes
    Routes --> Services
    Services --> CoreEngine
    Services --> Plugins
    Services --> Prisma
    Prisma --> PG
    Services --> R2

4. Data Flow

4.1 Standard Request Flow

sequenceDiagram
    participant U as User (Browser)
    participant FE as Next.js Frontend
    participant MW as Middleware Stack
    participant RT as Route Handler
    participant SV as Service Layer
    participant CE as @bilko/core
    participant PR as Prisma Client
    participant DB as PostgreSQL

    U->>FE: User Action (e.g., Create Invoice)
    FE->>MW: POST /api/v1/invoices + Bearer token
    MW->>MW: helmet (security headers)
    MW->>MW: cors (origin check)
    MW->>MW: rate-limit (100 req/15min per IP)
    MW->>MW: authGuard (verify JWT access token)
    MW->>MW: organizationScope (attach orgId to request)
    MW->>MW: validate (Zod schema check)
    MW->>RT: req.user + req.body validated
    RT->>SV: invoiceService.createInvoice(orgId, userId, data)
    SV->>CE: calculateVAT(), lockExchangeRate()
    SV->>PR: prisma.$transaction([create invoice, create items])
    PR->>DB: INSERT invoices, invoice_items
    DB-->>PR: Created records
    PR-->>SV: Invoice with items
    SV-->>RT: Formatted response
    RT-->>FE: 201 JSON response
    FE-->>U: Updated UI

4.2 Invoice Lifecycle with Double-Entry

stateDiagram-v2
    [*] --> draft: POST /api/v1/invoices
    draft --> sent: PATCH /status {action: "send"}\n→ Creates TX: DR Receivable / CR Revenue
    sent --> viewed: (future: email tracking webhook)
    viewed --> paid: PATCH /status {action: "mark-paid"}\n→ Creates TX: DR Bank / CR Receivable
    sent --> paid: PATCH /status {action: "mark-paid"}
    draft --> cancelled: PATCH /status {action: "cancel"}
    sent --> cancelled: PATCH /status {action: "cancel"}
    viewed --> overdue: (cron job: past due date)
    overdue --> paid: PATCH /status {action: "mark-paid"}

4.3 Expense Lifecycle with Double-Entry

stateDiagram-v2
    [*] --> pending: POST /api/v1/expenses
    pending --> approved: PATCH /expenses/:id/approve\n→ Creates TX: DR Expense / CR Payable
    approved --> paid: PATCH /expenses/:id/pay\n→ Creates TX: DR Payable / CR Bank
    pending --> rejected: (future endpoint)

5. Tech Stack Rationale

Layer Technology Rationale
Frontend Framework Next.js 15 (App Router) SSR for fast initial load, SEO, file-system routing, React Server Components
Frontend Language TypeScript 5.3 Type safety, IDE support, catch errors at compile time
Styling Tailwind CSS 4 + shadcn/ui Utility-first styling with accessible, unstyled Radix UI primitives
State Management Zustand 4.5 (planned) Lightweight global state; React hooks used currently during mock phase
Charts Recharts 2.15 React-native chart library, composable, good TypeScript support
Icons Lucide React Consistent icon set, tree-shakeable, maintained fork of Feather
Backend Framework Express + TypeScript Minimal, battle-tested, massive ecosystem; team familiarity
ORM Prisma Type-safe database access, migration management, schema-as-code
Database PostgreSQL 15 NUMERIC(19,4) for money, mature ACID compliance, full-text search
Auth JWT (access + refresh) Stateless, scalable; no session store needed
Validation Zod Runtime schema validation with full TypeScript inference
Monorepo Turborepo Fast incremental builds, shared packages, workspace management
Decimal Arithmetic Decimal.js Arbitrary-precision arithmetic — required for financial calculations
Infrastructure AWS (EC2, RDS, S3, CloudFront) Reliable, eu-central-1 region close to Balkan users
IaC Terraform Declarative infrastructure, reproducible environments

6. Multi-Tenancy Model

Bilko uses organization-scoped multi-tenancy — all business data is isolated by organizationId.

erDiagram
    Organization {
        uuid id PK
        string name
        string baseCurrency "EUR by default"
        string country "RS, BA, HR"
        string language "sr, bs, hr"
    }
    User {
        uuid id PK
        uuid organizationId FK
        enum role "owner, admin, accountant, viewer"
    }
    Invoice {
        uuid id PK
        uuid organizationId FK
    }
    Expense {
        uuid id PK
        uuid organizationId FK
    }
    Transaction {
        uuid id PK
        uuid organizationId FK
    }
    Organization ||--o{ User : has
    Organization ||--o{ Invoice : owns
    Organization ||--o{ Expense : owns
    Organization ||--o{ Transaction : owns

Enforcement mechanism: The organizationScope middleware (apps/api/src/middleware/org-scope.ts) attaches req.user.organizationId to every authenticated request. All service methods receive organizationId as first parameter and filter all Prisma queries with where: { organizationId }. Cross-organization data access is structurally impossible via the API layer.

RBAC roles:

Role Permissions
owner Full access, manage users, change roles, delete org
admin Full access except role management
accountant CRUD on invoices, expenses, transactions, reports
viewer Read-only access to all data

7. Authentication Architecture

sequenceDiagram
    participant C as Client
    participant A as API /auth
    participant DB as PostgreSQL

    C->>A: POST /api/v1/auth/login {email, password}
    A->>DB: findUser(email) → user + passwordHash
    A->>A: bcrypt.verify(password, passwordHash)
    A->>A: signAccessToken({sub, email, role, orgId}) [15min, JWT_SECRET]
    A->>A: signRefreshToken({sub, jti}) [7d, JWT_REFRESH_SECRET]
    A-->>C: 200 {accessToken, user, org} + Set-Cookie: refreshToken (httpOnly)

    Note over C,A: Subsequent requests
    C->>A: GET /api/v1/invoices + Authorization: Bearer <accessToken>
    A->>A: authGuard: verifyAccessToken() → payload
    A->>A: organizationScope: attach orgId to req
    A-->>C: 200 {data}

    Note over C,A: Token refresh
    C->>A: POST /api/v1/auth/refresh (cookie: refreshToken)
    A->>A: verifyRefreshToken() → {sub, jti}
    A->>DB: findUser(sub) → user
    A->>A: signAccessToken(newPayload)
    A-->>C: 200 {accessToken}

Token storage:

Security:

8. Multi-Currency Architecture

All monetary amounts stored as DECIMAL(19,4) in PostgreSQL. The system maintains both the transaction currency amount and the base-currency equivalent.

Key fields on monetary entities:

Field Type Purpose
currencyCode CHAR(3) ISO 4217 currency of the transaction
exchangeRate DECIMAL(12,6) Rate locked at transaction date
amount DECIMAL(19,4) Amount in transaction currency
baseAmount DECIMAL(19,4) Amount converted to org's baseCurrency

Rate locking: When an invoice or expense is created, the exchange rate is fetched from the ExchangeRate table for the most recent date on or before the transaction date and locked permanently. Historical rates are never recalculated (packages/core/src/multi-currency/index.ts: lockExchangeRate()).

Supported currencies: EUR, RSD, BAM, HRK, USD, GBP, CHF

Fallback: If no exchange rate is found for a currency pair on a given date, the system logs a warning and uses 1.0. This is a known gap — exchange rate population is a prerequisite for multi-currency accuracy.

9. Country Plugin System

Each country is a separate npm package with the same module structure:

packages/country-{code}/src/
├── tax/index.ts       # VAT/PDV calculation, CIT, WHT
├── chart/index.ts     # Country-specific chart of accounts
├── fiscal/index.ts    # Fiscal year rules
├── filing/index.ts    # Tax filing periods and deadlines
├── locale/index.ts    # Language/formatting (date, currency)
└── index.ts           # Re-exports all modules

Country-specific data:

Country Plugin VAT Standard VAT Reduced CIT E-Invoice
Serbia (RS) @bilko/country-rs 20% 10% 15% flat SEF (UBL 2.1) mandatory since 2023
Bosnia & Herzegovina (BA) @bilko/country-ba 17% none 10% (FBiH/RS both) CPF (pending, ~2026)
Croatia (HR) @bilko/country-hr 25% 13%, 5% 10%/18% progressive eRačun (UBL 2.1) mandatory since 2026

The core engine (@bilko/core) provides country-agnostic accounting primitives. Country plugins extend these with jurisdiction-specific rules without modifying core logic.

10. Infrastructure Overview

graph LR
    subgraph DNS["Route 53"]
        D1["bilko.io"]
        D2["api.bilko.io"]
    end

    subgraph CDN["CloudFront"]
        CF["CloudFront Distribution\n(bilko.io → S3/Next.js)"]
    end

    subgraph Compute["EC2 (eu-central-1)"]
        NG["Nginx (reverse proxy)"]
        PM2["PM2 (process manager)"]
        API["Express API\n(Node.js)"]
        WEB["Next.js Frontend\n(standalone build)"]
    end

    subgraph Data["Data Layer"]
        RDS["RDS PostgreSQL 15\n(Multi-AZ)"]
        S3["S3 (backups, assets)"]
        R2["Cloudflare R2\n(PDFs, receipts)"]
    end

    subgraph Monitor["Monitoring"]
        CW["CloudWatch\n(logs, alarms)"]
    end

    D1 --> CF --> NG
    D2 --> NG
    NG --> PM2
    PM2 --> API
    PM2 --> WEB
    API --> RDS
    API --> R2
    API --> CW

Key infrastructure decisions:

11. Security Model

Layer Control
Transport HTTPS enforced (HSTS, maxAge: 31536000, includeSubDomains)
Security headers helmet (CSP, X-Frame-Options: deny, X-Content-Type-Options: noSniff)
CORS Whitelist: bilko.io, www.bilko.io, localhost:3000
Rate limiting 100 req/15min per IP (general); stricter limit on /auth/login and /auth/register
Authentication JWT access token (15min) + refresh token (7d, httpOnly cookie)
Authorization RBAC checked per endpoint; organizationScope middleware enforces tenancy
Password storage bcrypt, 12 salt rounds
Audit trail LoggedAction table — append-only, captures all INSERT/UPDATE/DELETE with user, timestamp, old/new values
Money precision NUMERIC(19,4) everywhere; Decimal.js in business logic
Transaction immutability Transaction.locked = true makes records unmodifiable
SQL injection Prisma parameterized queries — no raw SQL in business logic
Secret management Environment variables; never committed to repository
Architecture

Low-Level Design (LLD)

Bilko — Low-Level Design (LLD)

Version: 1.0 Date: 2026-02-23 Project ID: bbd77cc0 Status: Current — reflects actual codebase as of 2026-02-23

Table of Contents

  1. API Endpoint Specifications
  2. Database Schema Documentation
  3. Service Layer Design
  4. Middleware Stack
  5. Double-Entry Bookkeeping Implementation
  6. Tax Calculation Logic Per Country
  7. Invoice Lifecycle
  8. Bank Import Flow
  9. Core Engine Modules

1. API Endpoint Specifications

Base URL: /api/v1 Auth: All endpoints except /auth/* and /health require Authorization: Bearer <accessToken> Content-Type: application/json Error format:

{
  "error": "Human-readable message",
  "code": "ERROR_CODE",
  "details": {}
}

1.1 Health

GET /api/v1/health

No auth required.

Response 200:

{ "status": "ok", "timestamp": "2026-02-23T10:00:00.000Z" }

1.2 Authentication (/auth)

Source: apps/api/src/routes/auth.ts

POST /api/v1/auth/register

Rate-limited (stricter). Creates organization + owner user in a single Prisma transaction.

Request body:

{
  "organizationName": "Acme DOO",
  "country": "RS",
  "baseCurrency": "RSD",
  "language": "sr",
  "registrationNumber": "12345678",
  "vatNumber": "123456789",
  "email": "user@acme.rs",
  "password": "securepassword",
  "fullName": "Marko Marković"
}

Response 201:

{
  "user": { "id": "uuid", "email": "...", "fullName": "...", "role": "owner" },
  "organization": { "id": "uuid", "name": "...", "country": "RS", "baseCurrency": "RSD" },
  "tokens": { "accessToken": "jwt...", "refreshToken": "jwt..." }
}

Errors: 409 DUPLICATE (email exists), 400 VALIDATION_ERROR

POST /api/v1/auth/login

Rate-limited (stricter). rememberMe: true extends refresh token to 30 days.

Request body:

{ "email": "user@acme.rs", "password": "securepassword", "rememberMe": false }

Response 200: Same shape as register response. Sets refreshToken httpOnly cookie (path: /api/v1/auth).

Errors: 401 UNAUTHORIZED (invalid credentials)

POST /api/v1/auth/refresh

Uses refreshToken cookie. Issues new access token.

Response 200:

{ "accessToken": "jwt..." }

Errors: 401 NO_TOKEN, 401 TOKEN_EXPIRED, 401 INVALID_TOKEN

POST /api/v1/auth/logout

Clears refreshToken cookie.

Response 204: No content.

GET /api/v1/auth/me

Requires Authorization: Bearer <accessToken>.

Response 200:

{
  "id": "uuid", "email": "...", "fullName": "...", "role": "owner",
  "twoFactorEnabled": false, "lastLoginAt": "2026-02-23T10:00:00.000Z",
  "organization": { "id": "uuid", "name": "...", "country": "RS", "baseCurrency": "RSD", "language": "sr" }
}

1.3 Invoices (/invoices)

Source: apps/api/src/routes/invoices.ts, apps/api/src/services/invoice.service.ts

GET /api/v1/invoices

List invoices with pagination and filtering.

Query params:

Param Type Description
status enum draft, sent, viewed, paid, overdue, cancelled
customerId uuid Filter by customer
fromDate YYYY-MM-DD Invoice date from
toDate YYYY-MM-DD Invoice date to
page int Default 1
perPage int Default 20, max 100
sort string invoiceDate, totalAmount, createdAt
order string asc, desc

Response 200:

{
  "data": [{
    "id": "uuid", "invoiceNumber": "INV-2026-001",
    "customerId": "uuid", "customerName": "Acme Client",
    "invoiceDate": "2026-02-01", "dueDate": "2026-03-01",
    "currencyCode": "RSD", "totalAmount": "120000.0000",
    "status": "draft", "createdAt": "2026-02-01T10:00:00.000Z"
  }],
  "meta": { "total": 42, "page": 1, "perPage": 20, "totalPages": 3 }
}

GET /api/v1/invoices/:id

Get single invoice with all line items.

Response 200:

{
  "id": "uuid", "invoiceNumber": "INV-2026-001",
  "customerId": "uuid", "customerName": "...",
  "invoiceDate": "2026-02-01", "dueDate": "2026-03-01",
  "currencyCode": "RSD", "exchangeRate": "1.000000",
  "subtotal": "100000.0000", "taxAmount": "20000.0000",
  "discountAmount": "0.0000", "totalAmount": "120000.0000", "baseAmount": "120000.0000",
  "status": "draft", "sentAt": null, "paidAt": null,
  "items": [{
    "id": "uuid", "lineNumber": 1, "description": "Consulting services",
    "quantity": "10.00", "unitPrice": "10000.0000",
    "taxRate": "20.00", "lineTotal": "100000.0000", "accountId": "uuid"
  }],
  "notes": null, "terms": null, "pdfUrl": null,
  "createdBy": "uuid", "createdAt": "...", "updatedAt": "..."
}

Errors: 404 NOT_FOUND

POST /api/v1/invoices

Create invoice in draft status. Auto-generates invoice number (INV-YYYY-NNN). Locks exchange rate at invoiceDate.

Request body:

{
  "customerId": "uuid",
  "invoiceDate": "2026-02-01",
  "dueDate": "2026-03-01",
  "currencyCode": "RSD",
  "items": [
    { "description": "Consulting", "quantity": 10, "unitPrice": 10000, "taxRate": 20, "accountId": "uuid" }
  ],
  "notes": "Optional notes",
  "terms": "Net 30"
}

Response 201: Full invoice object (same as GET /:id)

Errors: 404 NOT_FOUND (customer), 400 VALIDATION_ERROR

PUT /api/v1/invoices/:id

Update invoice. Only allowed when status = draft.

Request body (partial):

{
  "invoiceDate": "2026-02-15",
  "dueDate": "2026-03-15",
  "items": [ ... ],
  "notes": "Updated notes"
}

Errors: 404 NOT_FOUND, 400 BAD_REQUEST (not draft)

PATCH /api/v1/invoices/:id/status

Change invoice status. Each action triggers double-entry transaction creation.

Request body:

{ "action": "send" }
{ "action": "mark-paid", "paidAt": "2026-02-20" }
{ "action": "cancel" }

Actions and effects:

Action From Status To Status Journal Entry
send draft sent DR Accounts Receivable / CR Revenue
mark-paid sent, viewed paid DR Bank / CR Accounts Receivable
cancel draft, sent, viewed cancelled None

Errors: 404 NOT_FOUND, 400 BAD_REQUEST (invalid transition), 400 BAD_REQUEST (accounts not found)

GET /api/v1/invoices/:id/pdf

Redirects to PDF URL in Cloudflare R2. Returns 404 if PDF not generated yet.

POST /api/v1/invoices/:id/send

Send invoice email to customer.

Request body:

{ "to": "customer@example.com", "subject": "Invoice ...", "message": "..." }

Response 200:

{ "sentAt": "...", "sentTo": "customer@example.com", "emailId": "..." }

Note: Email sending is a placeholder — not yet implemented.

DELETE /api/v1/invoices/:id

Delete invoice. Only allowed when status = draft.

Response 204: No content.

Errors: 404 NOT_FOUND, 400 BAD_REQUEST (not draft)

1.4 Expenses (/expenses)

Source: apps/api/src/routes/expenses.ts, apps/api/src/services/expense.service.ts

GET /api/v1/expenses

List with pagination.

Query params: status, category, vendorId, fromDate, toDate, page, perPage, sort, order

GET /api/v1/expenses/:id

Response 200:

{
  "id": "uuid", "expenseNumber": "EXP-2026-001",
  "vendorId": "uuid", "vendorName": "Office Supplies Ltd",
  "expenseDate": "2026-02-01", "category": "office",
  "currencyCode": "RSD", "exchangeRate": "1.000000",
  "amount": "5000.0000", "baseAmount": "5000.0000", "taxAmount": "850.0000",
  "paymentMethod": "bank_transfer", "accountId": "uuid",
  "description": "Office supplies purchase", "receiptUrl": null,
  "status": "pending", "approvedAt": null, "paidAt": null,
  "createdBy": "uuid", "createdAt": "...", "updatedAt": "..."
}

POST /api/v1/expenses

Create expense in pending status. Auto-generates number (EXP-YYYY-NNN).

Request body:

{
  "vendorId": "uuid",
  "expenseDate": "2026-02-01",
  "category": "office",
  "amount": 5000,
  "currencyCode": "RSD",
  "taxAmount": 850,
  "paymentMethod": "bank_transfer",
  "accountId": "uuid",
  "description": "Office supplies"
}

PUT /api/v1/expenses/:id

Update expense. Only pending status.

PATCH /api/v1/expenses/:id/approve

Approve expense. Creates double-entry: DR Expense Account / CR Accounts Payable

Response 200: Updated expense with status: approved

PATCH /api/v1/expenses/:id/pay

Mark expense paid. Creates double-entry: DR Accounts Payable / CR Bank

Response 200: Updated expense with status: paid

DELETE /api/v1/expenses/:id

Delete expense. Only pending status.

1.5 Contacts (/contacts)

Source: apps/api/src/routes/contacts.ts, apps/api/src/services/contact.service.ts

GET /api/v1/contacts

Query params: type (customer, vendor, both), search, page, perPage

GET /api/v1/contacts/:id

POST /api/v1/contacts

Request body:

{
  "type": "customer",
  "name": "Acme Client DOO",
  "email": "billing@acme.rs",
  "phone": "+381 11 123 4567",
  "registrationNumber": "12345678",
  "vatNumber": "123456789",
  "addressLine1": "Bulevar Kralja Aleksandra 1",
  "city": "Beograd", "postalCode": "11000", "country": "RS",
  "currencyCode": "RSD", "paymentTerms": 30,
  "notes": "VIP client"
}

PUT /api/v1/contacts/:id

DELETE /api/v1/contacts/:id

Soft-delete: sets isActive = false. Contact remains in database for historical records.

1.6 Accounts (Chart of Accounts) (/accounts)

Source: apps/api/src/routes/accounts.ts, apps/api/src/services/account.service.ts

GET /api/v1/accounts

Query params: typeId, isActive, includeBalances (boolean)

Response 200:

{
  "data": [{
    "id": "uuid", "code": "120", "name": "Potraživanja od kupaca",
    "accountTypeId": 1, "accountType": "Asset",
    "currencyCode": "RSD", "parentAccountId": null, "isActive": true
  }]
}

POST /api/v1/accounts

Request body: { "code": "1201", "name": "...", "accountTypeId": 1, "currencyCode": "RSD", "parentAccountId": "uuid" }

PUT /api/v1/accounts/:id

1.7 Transactions (General Ledger) (/transactions)

Source: apps/api/src/routes/transactions.ts

GET /api/v1/transactions

Query params: fromDate, toDate, accountId, referenceType (invoice, expense, payment, manual), referenceId, page, perPage, sort, order

Response 200:

{
  "data": [{
    "id": "uuid",
    "transactionDate": "2026-02-01",
    "description": "Invoice INV-2026-001",
    "debitAccountId": "uuid", "debitAccountCode": "120", "debitAccountName": "Receivables",
    "creditAccountId": "uuid", "creditAccountCode": "600", "creditAccountName": "Revenue",
    "amount": "120000.0000", "currencyCode": "RSD",
    "exchangeRate": "1.000000", "baseAmount": "120000.0000",
    "referenceType": "invoice", "referenceId": "uuid",
    "locked": false, "reconciled": false,
    "createdBy": "uuid", "createdAt": "..."
  }],
  "meta": { "total": 100, "page": 1, "perPage": 20, "totalPages": 5 }
}

GET /api/v1/transactions/:id

Full transaction detail including account type information.

POST /api/v1/transactions

Manual journal entry. Requires owner, admin, or accountant role. Debit and credit accounts must be different.

Request body:

{
  "transactionDate": "2026-02-01",
  "description": "Manual adjustment",
  "debitAccountId": "uuid",
  "creditAccountId": "uuid",
  "amount": 5000,
  "currencyCode": "RSD",
  "notes": "Correction entry"
}

Errors: 403 FORBIDDEN (viewer role), 422 VALIDATION_ERROR (same debit/credit account), 404 NOT_FOUND (accounts)

1.8 Reports (/reports)

Source: apps/api/src/routes/reports.ts, apps/api/src/services/report.service.ts

GET /api/v1/reports/dashboard

MTD metrics: cash balance, revenue, unpaid invoices, expenses, profit, monthly P&L (6 months), receivables aging, expenses by category.

GET /api/v1/reports/profit-loss

Query params: from (YYYY-MM-DD), to (YYYY-MM-DD)

Response 200:

{
  "period": { "from": "2026-01-01", "to": "2026-01-31" },
  "baseCurrency": "RSD",
  "revenue": { "total": "500000.0000", "accounts": [{ "accountCode": "600", "accountName": "Revenue", "amount": "500000.0000" }] },
  "expenses": { "total": "200000.0000", "accounts": [...] },
  "netProfit": "300000.0000"
}

GET /api/v1/reports/balance-sheet

Query params: date (YYYY-MM-DD, default: today)

Returns assets (current + fixed), liabilities (current + long-term), equity with account detail.

GET /api/v1/reports/cash-flow

Query params: from, to

Categorizes bank account transactions into operating, investing, and financing cash flows with opening/closing balance.

GET /api/v1/reports/vat

Query params: from, to

Returns output VAT (from invoices), input VAT (from expenses), net VAT, and reconciliation status.

GET /api/v1/reports/trial-balance

Query params: date (YYYY-MM-DD, default: today)

Returns all accounts with debit total, credit total, balance, and whether total debits equal total credits.

GET /api/v1/reports/general-ledger

Query params: accountId (optional), from, to

Returns accounts with individual transaction entries sorted by date, showing running debit/credit/counter-account.

1.9 Banking (/bank-accounts)

Source: apps/api/src/routes/banking.ts, apps/api/src/services/banking.service.ts

GET /api/v1/bank-accounts

List all bank accounts with balances.

GET /api/v1/bank-accounts/:id

Single bank account with recent transactions.

POST /api/v1/bank-accounts

Request body:

{
  "bankName": "UniCredit Banka",
  "accountNumber": "170-123456789-01",
  "iban": "RS35170006310000014243",
  "currencyCode": "RSD",
  "accountId": "uuid"
}

GET /api/v1/bank-accounts/:id/transactions

Query params: fromDate, toDate, reconciled (boolean), page, perPage

POST /api/v1/bank-accounts/:id/import

Import CSV bank statement. Request body: { "csvContent": "Date,Amount,..." }

Response:

{ "imported": 45, "duplicates": 3, "errors": 0 }

POST /api/v1/bank-accounts/:id/reconcile

Request body:

{
  "bankTransactionId": "uuid",
  "transactionId": "uuid"
}

1.10 Settings

Source: apps/api/src/routes/settings.ts, apps/api/src/services/settings.service.ts

GET /api/v1/organization

PUT /api/v1/organization

Requires owner or admin role.

Request body:

{
  "name": "Updated Name DOO",
  "registrationNumber": "12345678",
  "vatNumber": "123456789",
  "language": "sr"
}

GET /api/v1/users

Requires owner or admin role. Returns all users in the organization.

POST /api/v1/users/invite

Request body:

{ "email": "newuser@acme.rs", "fullName": "Jana Jović", "role": "accountant" }

PUT /api/v1/users/:id/role

Requires owner role only.

Request body:

{ "role": "admin" }

DELETE /api/v1/users/:id

Requires owner role. Cannot delete self.

GET /api/v1/currencies

List all active currencies with code, name, symbol, decimal places.

GET /api/v1/exchange-rates

Query params: baseCurrency, targetCurrency, date

GET /api/v1/settings/tax-rates

Get org-level tax rate overrides.

PUT /api/v1/settings/tax-rates

Requires owner or admin.

2. Database Schema Documentation

Source: packages/database/prisma/schema.prisma Database: PostgreSQL 15 ORM: Prisma

2.1 Entity Relationship Diagram

erDiagram
    Organization {
        UUID id PK
        VARCHAR(255) name
        VARCHAR(50) registrationNumber
        VARCHAR(50) vatNumber
        CHAR(3) baseCurrency "default: EUR"
        CHAR(2) country
        CHAR(2) language "default: sr"
        DATE fiscalYearStart
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    User {
        UUID id PK
        UUID organizationId FK
        VARCHAR(255) email UK
        VARCHAR(255) passwordHash
        VARCHAR(255) fullName
        ENUM role "owner|admin|accountant|viewer"
        BOOLEAN twoFactorEnabled
        VARCHAR(255) twoFactorSecret
        TIMESTAMP lastLoginAt
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    AccountType {
        INT id PK "autoincrement"
        VARCHAR(50) name UK
        ENUM normalBalance "debit|credit"
        TIMESTAMP createdAt
    }

    Account {
        UUID id PK
        UUID organizationId FK
        VARCHAR(10) code
        VARCHAR(255) name
        INT accountTypeId FK
        CHAR(3) currencyCode
        UUID parentAccountId FK "nullable, self-reference"
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Contact {
        UUID id PK
        UUID organizationId FK
        ENUM type "customer|vendor|both"
        VARCHAR(255) name
        VARCHAR(255) email
        VARCHAR(50) phone
        VARCHAR(50) registrationNumber
        VARCHAR(50) vatNumber
        VARCHAR(255) addressLine1
        VARCHAR(255) addressLine2
        VARCHAR(100) city
        VARCHAR(20) postalCode
        CHAR(2) country
        CHAR(3) currencyCode
        INT paymentTerms "default: 30 days"
        TEXT notes
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Invoice {
        UUID id PK
        UUID organizationId FK
        UUID customerId FK
        VARCHAR(50) invoiceNumber UK
        DATE invoiceDate
        DATE dueDate
        CHAR(3) currencyCode
        DECIMAL(12_6) exchangeRate
        DECIMAL(19_4) subtotal
        DECIMAL(19_4) taxAmount
        DECIMAL(19_4) discountAmount
        DECIMAL(19_4) totalAmount
        DECIMAL(19_4) baseAmount
        ENUM status "draft|sent|viewed|paid|overdue|cancelled"
        TIMESTAMP sentAt
        TIMESTAMP viewedAt
        TIMESTAMP paidAt
        TEXT notes
        TEXT terms
        VARCHAR(500) pdfUrl
        UUID createdBy FK
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    InvoiceItem {
        UUID id PK
        UUID invoiceId FK
        INT lineNumber
        VARCHAR(500) description
        DECIMAL(10_2) quantity
        DECIMAL(19_4) unitPrice
        DECIMAL(5_2) taxRate
        DECIMAL(19_4) lineTotal
        UUID accountId FK "nullable"
        TIMESTAMP createdAt
    }

    Expense {
        UUID id PK
        UUID organizationId FK
        UUID vendorId FK "nullable"
        VARCHAR(50) expenseNumber UK
        DATE expenseDate
        CHAR(3) currencyCode
        DECIMAL(12_6) exchangeRate
        DECIMAL(19_4) amount
        DECIMAL(19_4) baseAmount
        DECIMAL(19_4) taxAmount
        VARCHAR(100) category
        VARCHAR(50) paymentMethod
        UUID accountId FK "nullable"
        TEXT description
        VARCHAR(500) receiptUrl
        ENUM status "pending|approved|paid|rejected"
        UUID approvedBy FK "nullable"
        TIMESTAMP approvedAt
        TIMESTAMP paidAt
        UUID createdBy FK
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Transaction {
        UUID id PK
        UUID organizationId FK
        DATE transactionDate
        VARCHAR(255) description
        UUID debitAccountId FK
        UUID creditAccountId FK
        DECIMAL(19_4) amount
        CHAR(3) currencyCode
        DECIMAL(12_6) exchangeRate
        DECIMAL(19_4) baseAmount
        VARCHAR(50) referenceType "invoice|expense|payment|manual"
        UUID referenceId "nullable"
        BOOLEAN locked "default: false"
        TIMESTAMP lockedAt
        BOOLEAN reconciled "default: false"
        TIMESTAMP reconciledAt
        TEXT notes
        UUID createdBy FK "nullable"
        TIMESTAMP createdAt
    }

    BankAccount {
        UUID id PK
        UUID organizationId FK
        UUID accountId FK
        VARCHAR(255) bankName
        VARCHAR(50) accountNumber
        VARCHAR(50) iban
        CHAR(3) currencyCode
        DECIMAL(19_4) currentBalance
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    BankTransaction {
        UUID id PK
        UUID bankAccountId FK
        DATE transactionDate
        DECIMAL(19_4) amount
        VARCHAR(500) description
        VARCHAR(255) reference
        BOOLEAN reconciled
        UUID matchedTransactionId "nullable"
        TIMESTAMP createdAt
    }

    Currency {
        CHAR(3) code PK
        VARCHAR(100) name
        VARCHAR(10) symbol
        SMALLINT decimalPlaces "default: 2"
        BOOLEAN isActive
        TIMESTAMP createdAt
    }

    ExchangeRate {
        UUID id PK
        CHAR(3) baseCurrency FK
        CHAR(3) targetCurrency FK
        DECIMAL(12_6) rate
        DATE effectiveDate
        VARCHAR(50) source
        TIMESTAMP lastUpdated
    }

    LoggedAction {
        BIGINT eventId PK "autoincrement"
        TEXT schemaName
        TEXT tableName
        UUID userId FK "nullable"
        TIMESTAMP actionTimestamp
        ENUM action "INSERT|UPDATE|DELETE"
        JSONB rowData "full row snapshot"
        JSONB changedFields "diff for UPDATE"
        TEXT queryText
        INET clientIp
        TEXT applicationName "default: fiken-clone-api"
    }

    SchemaVersion {
        VARCHAR(20) version PK
        TIMESTAMP appliedAt
        TEXT description
    }

    Organization ||--o{ User : has
    Organization ||--o{ Account : owns
    Organization ||--o{ Contact : owns
    Organization ||--o{ Invoice : owns
    Organization ||--o{ Expense : owns
    Organization ||--o{ Transaction : owns
    Organization ||--o{ BankAccount : owns
    AccountType ||--o{ Account : classifies
    Account ||--o{ Account : "parent-child"
    Contact ||--o{ Invoice : "billed to"
    Contact ||--o{ Expense : "billed from"
    Invoice ||--o{ InvoiceItem : contains
    Account ||--o{ InvoiceItem : "revenue account"
    Account ||--o{ Expense : "expense account"
    Account ||--o{ BankAccount : links
    Account ||--o{ Transaction : "debit side"
    Account ||--o{ Transaction : "credit side"
    BankAccount ||--o{ BankTransaction : holds
    Currency ||--o{ ExchangeRate : "base"
    Currency ||--o{ ExchangeRate : "target"
    User ||--o{ LoggedAction : audits

2.2 Key Indexes

Table Index Columns Purpose
users idx_users_organization organizationId User lookup by org
users idx_users_email email Login lookup
accounts idx_accounts_organization organizationId List accounts by org
accounts Unique organizationId, code Prevent duplicate account codes
invoices idx_invoices_organization organizationId List invoices by org
invoices idx_invoices_status status Filter by status
invoices idx_invoices_due_date dueDate Overdue detection
invoices idx_invoices_org_status_date organizationId, status, invoiceDate Complex report queries
transactions idx_transactions_org_date organizationId, transactionDate Date range queries
transactions idx_transactions_reference referenceType, referenceId Find transactions for an invoice/expense
exchange_rates idx_exchange_rates_pair baseCurrency, targetCurrency Currency pair lookup
exchange_rates Unique baseCurrency, targetCurrency, effectiveDate One rate per pair per day
logged_actions idx_logged_actions_timestamp actionTimestamp Audit log queries by time

3. Service Layer Design

All services follow the same pattern:

3.1 InvoiceService

File: apps/api/src/services/invoice.service.ts

Method Description
listInvoices(orgId, params) Paginated list with filters
getInvoice(orgId, id) Single invoice with items
createInvoice(orgId, userId, data) Create draft, calculate amounts, lock exchange rate
updateInvoice(orgId, id, data) Update draft only, recalculate if items changed
changeInvoiceStatus(orgId, id, data) Dispatches to sendInvoice(), markInvoicePaid(), cancelInvoice()
deleteInvoice(orgId, id) Delete draft only
generateInvoiceNumber(orgId) INV-YYYY-NNN sequential
getExchangeRate(from, to, date) DB lookup, falls back to 1.0 with warning
sendInvoice(invoice) Prisma tx: create DR Receivable/CR Revenue + update status
markInvoicePaid(invoice, paidAt) Prisma tx: create DR Bank/CR Receivable + update status

3.2 ExpenseService

File: apps/api/src/services/expense.service.ts

Method Description
listExpenses(orgId, params) Paginated list with filters
getExpense(orgId, id) Single expense
createExpense(orgId, userId, data) Create pending, lock exchange rate
updateExpense(orgId, id, data) Update pending only
approveExpense(orgId, id, userId) Prisma tx: create DR Expense/CR Payable + update status
payExpense(orgId, id) Prisma tx: create DR Payable/CR Bank + update status
deleteExpense(orgId, id) Delete pending only

3.3 ContactService

File: apps/api/src/services/contact.service.ts

Method Description
listContacts(orgId, params) Paginated list with type filter
getContact(orgId, id) Single contact
createContact(orgId, data) Create contact
updateContact(orgId, id, data) Update contact
deleteContact(orgId, id) Soft delete (isActive = false)

3.4 AccountService

File: apps/api/src/services/account.service.ts

Method Description
listAccounts(orgId, params) List with optional balance calculation
createAccount(orgId, data) Create account (checks code uniqueness)
updateAccount(orgId, id, data) Update account metadata

3.5 ReportService

File: apps/api/src/services/report.service.ts

Method Description
getDashboard(orgId) Aggregate MTD metrics
getProfitLoss(orgId, query) Revenue vs expense by account, net profit
getBalanceSheet(orgId, query) Assets, liabilities, equity as of date
getCashFlow(orgId, query) Operating/investing/financing cash flows
getVATReport(orgId, query) Output VAT (invoices) vs input VAT (expenses), net
getTrialBalance(orgId, query) All accounts with debit/credit totals, balanced check
getGeneralLedger(orgId, query) Per-account transaction history

3.6 BankingService

File: apps/api/src/services/banking.service.ts

Method Description
listBankAccounts(orgId) List all active bank accounts
getBankAccount(orgId, id) Single account with recent transactions
createBankAccount(orgId, data) Create bank account linked to GL account
listBankTransactions(orgId, bankAccountId, params) Paginated bank transactions
importBankStatement(orgId, bankAccountId, csvContent) Parse CSV, detect duplicates, insert
reconcileTransaction(orgId, bankAccountId, body) Match bank transaction to GL transaction

3.7 SettingsService

File: apps/api/src/services/settings.service.ts

Method Description
getOrganization(orgId) Organization details
updateOrganization(orgId, data) Update organization metadata
listUsers(orgId, params) List users in org
inviteUser(orgId, data) Create user with temporary password
changeUserRole(orgId, userId, requesterId, data) Change role (cannot demote self)
deleteUser(orgId, userId, requesterId) Remove user (cannot delete self)
listCurrencies() All active currencies
getExchangeRate(params) Get rate for currency pair on date
getTaxRates(orgId) Get org tax rate config
updateTaxRates(orgId, data) Update tax rate config

4. Middleware Stack

File: apps/api/src/app.ts

Order is critical. Each middleware passes control to next() or sends error response.

Request
   │
   ▼
1. helmet()              — Sets security headers (CSP, HSTS, X-Frame-Options: deny, noSniff)
   │
   ▼
2. cors()                — Validates Origin header against whitelist [bilko.io, localhost:3000]
   │                       credentials: true (allows cookies)
   ▼
3. express.json()        — Parses request body as JSON (limit: 10mb)
   │
   ▼
4. express.urlencoded()  — Parses URL-encoded bodies (limit: 10mb)
   │
   ▼
5. cookieParser()        — Parses cookie header, makes cookies accessible via req.cookies
   │
   ▼
6. apiLimiter            — Rate limit: 100 req per 15 min per IP (applied to /api/v1/*)
   │   authLimiter       — Stricter rate limit on /auth/login and /auth/register
   ▼
7. routes                — Mounts all route modules at /api/v1
   │
   ├── authGuard()       — Verifies JWT Bearer token, attaches req.user
   │                       Source: apps/api/src/middleware/auth.ts
   │
   ├── organizationScope() — Validates req.user.organizationId (currently no-op, used as anchor)
   │                         Source: apps/api/src/middleware/org-scope.ts
   │
   ├── validate(schema)  — Validates req.body or req.query against Zod schema
   │                       Source: apps/api/src/middleware/validate.ts
   │
   └── routeHandler      — Business logic (calls service layer)
   │
   ▼
8. errorHandler()        — Centralized error handler (MUST be last)
                           Source: apps/api/src/middleware/error-handler.ts
                           Translates AppError → HTTP status + JSON

Error response format:

{
  "error": "Invoice not found",
  "code": "NOT_FOUND",
  "details": {}
}

HTTP status codes used:

5. Double-Entry Bookkeeping Implementation

Core library: packages/core/src/accounting/index.ts Prisma model: Transaction in packages/database/prisma/schema.prisma

5.1 Fundamental Rule

Every financial event creates exactly one Transaction record with:

5.2 validateDoubleEntry() (core engine)

// packages/core/src/accounting/index.ts
export function validateDoubleEntry(lines: JournalEntryLine[]): boolean {
  // Returns false if: < 2 lines, negative amounts, unbalanced
  let totalDebits = new Decimal(0);
  let totalCredits = new Decimal(0);
  for (const line of lines) {
    const amount = new Decimal(line.amount);
    if (amount.lte(0)) return false;
    if (line.side === 'debit') totalDebits = totalDebits.plus(amount);
    else totalCredits = totalCredits.plus(amount);
  }
  return totalDebits.eq(totalCredits);
}

5.3 Transaction Creation Patterns

Invoice sent (DR Receivable / CR Revenue):

DR  Accounts Receivable (code: 12x)   +120,000 RSD
    CR  Revenue (code: 6xx)                       +120,000 RSD

Payment received (DR Bank / CR Receivable):

DR  Bank Account (code: 10x)          +120,000 RSD
    CR  Accounts Receivable (code: 12x)            +120,000 RSD

Expense approved (DR Expense / CR Payable):

DR  Expense Account (code: 5xx)       +5,000 RSD
    CR  Accounts Payable (code: 22x)               +5,000 RSD

Expense paid (DR Payable / CR Bank):

DR  Accounts Payable (code: 22x)      +5,000 RSD
    CR  Bank Account (code: 10x)                    +5,000 RSD

5.4 Account Lookup Strategy

Services find accounts by account type ID + code prefix:

Code prefixes (Balkan chart of accounts):

5.5 Trial Balance

// packages/core/src/accounting/index.ts
export function calculateTrialBalance(transactions: JournalEntry[]): TrialBalance {
  // Groups by accountNumber, sums debits and credits
  // Returns: { rows[], totalDebits, totalCredits, isBalanced }
  // isBalanced = totalDebits.eq(totalCredits)
}

6. Tax Calculation Logic Per Country

Core module: packages/core/src/tax/index.ts Country modules: packages/country-{rs|ba|hr}/src/tax/index.ts

6.1 Serbia (RS)

File: packages/country-rs/src/tax/index.ts

Rate Value Applies To
Standard 20% Most taxable supplies
Reduced 10% Basic food, medicine, newspapers, public transport, utilities
Zero/Exempt 0% Exports, international transport, financial services 
export const serbianVATRates = {
  standard: '20', reduced: '10', zero: '0', exempt: '0'
}

// VAT registration: mandatory above 8M RSD annual revenue
export const SERBIAN_VAT_THRESHOLD = '8000000';
// Pausal (simplified) regime: below 6M RSD
export const SERBIAN_PAUSAL_THRESHOLD = '6000000';
// Corporate income tax
export const SERBIAN_CIT_RATE = '15'; // flat 15%

Key function:

export function calculateSerbianPDV(amount: MonetaryAmount, rate = 'standard'): string {
  // Returns: net.times(rateDecimal).dividedBy(100).toFixed(2)
}

6.2 Bosnia & Herzegovina (BA)

File: packages/country-ba/src/tax/index.ts

Rate Value Applies To
Standard 17% All taxable supplies (single rate, no reduced)
Zero 0% Exports 
export const bosnianVATRates = { standard: '17', zero: '0' }
// Registration threshold: 100,000 BAM
export const BIH_VAT_THRESHOLD = '100000';
// CIT: 10% for both FBiH and RS entities
export const BIH_CIT_RATES = { fbih: '10', rs: '10' }
// WHT: FBiH dividends 5%, RS dividends 10%
export const BIH_WHT_RATES = { fbih: { dividends: '5', interest: '10' }, rs: { dividends: '10', ... } }

6.3 Croatia (HR)

File: packages/country-hr/src/tax/index.ts

Rate Value Applies To
Standard 25% Most taxable supplies
Reduced 13% Food products, accommodation, utilities
Super-reduced 5% Books, medicines, newspapers
Zero 0% Intra-EU transport, international transport 
export const croatianVATRates = { standard: '25', reduced: '13', superReduced: '5', zero: '0' }
// Registration threshold: 60,000 EUR (aligned with EU 2025)
export const CROATIAN_VAT_THRESHOLD = '60000';
// CIT: progressive — 10% if revenue < 1M EUR, 18% if >= 1M EUR
export const CROATIAN_CIT_RATES = { small: '10', standard: '18', threshold: '1000000' }

6.4 Generic VAT Calculation (Core Engine)

// packages/core/src/tax/index.ts
export function calculateVAT(amount: MonetaryAmount, rate: MonetaryAmount): VATResult {
  const base = new Decimal(amount);       // net amount
  const vatRate = new Decimal(rate);
  const tax = base.times(vatRate).dividedBy(100);
  const total = base.plus(tax);
  return {
    base: new Decimal(base.toFixed(4)),
    tax: new Decimal(tax.toFixed(4)),
    total: new Decimal(total.toFixed(4)),
  };
}

export function calculateNetFromGross(grossAmount: MonetaryAmount, vatRate: MonetaryAmount): VATResult {
  // Reverse VAT: gross / (1 + rate/100)
  const divisor = new Decimal(100).plus(new Decimal(vatRate)).dividedBy(100);
  const base = new Decimal(grossAmount).dividedBy(divisor);
  ...
}

7. Invoice Lifecycle

7.1 Status Machine

draft ──[send]──► sent ──[mark-paid]──► paid
  │                 │
  │            [cancel]
  │                 │
  └────[cancel]──► cancelled
                sent ──[overdue cron]──► overdue ──[mark-paid]──► paid
                viewed ──[mark-paid]──► paid

7.2 Numbering

Invoice numbers are generated sequentially per organization per year: INV-YYYY-NNN (e.g., INV-2026-001). The service queries the last invoice number with the current year prefix and increments.

private async generateInvoiceNumber(organizationId: string): Promise<string> {
  const year = new Date().getFullYear();
  const prefix = `INV-${year}-`;
  const lastInvoice = await prisma.invoice.findFirst({
    where: { organizationId, invoiceNumber: { startsWith: prefix } },
    orderBy: { invoiceNumber: 'desc' },
  });
  const nextNumber = lastInvoice ? parseInt(lastInvoice.invoiceNumber.split('-')[2]) + 1 : 1;
  return `${prefix}${String(nextNumber).padStart(3, '0')}`;
}

7.3 Amount Calculation

On create/update:

  1. For each line item: lineTotal = quantity × unitPrice
  2. taxAmount per line: lineTotal × taxRate / 100
  3. subtotal = Σ lineTotals
  4. taxAmount = Σ lineTax amounts
  5. totalAmount = subtotal + taxAmount
  6. baseAmount = totalAmount × exchangeRate

All using Decimal.js — never JavaScript number.

8. Bank Import Flow

Source: packages/core/src/bank-import/index.ts

8.1 CSV Format

Date,Amount,Currency,Direction,Counterparty,Reference,Description
2026-02-01,5000.00,RSD,inbound,Acme Client,INV-2026-001,Invoice payment

Supported date formats: YYYY-MM-DD, DD.MM.YYYY, DD/MM/YYYY

8.2 Import Process

POST /api/v1/bank-accounts/:id/import
  │
  ├── parseCSV(csvContent) → BankTransaction[]
  │     - Split by newline, skip header
  │     - Parse each field: date, amount, currency, direction, reference
  │     - Generate deterministic ID for dedup: hash(date|amount|currency|reference|lineIndex)
  │
  ├── detectDuplicates(existingTxs, importedTxs)
  │     - Fingerprint: YYYY-MM-DD|amount|currency|reference
  │     - Returns list of duplicate transactions
  │
  ├── Filter out duplicates
  │
  └── Insert new BankTransactions into database
        Returns: { imported: N, duplicates: M, errors: K }

8.3 Reconciliation

Manual reconciliation links a BankTransaction to a Transaction (GL entry):

POST /api/v1/bank-accounts/:id/reconcile
  body: { bankTransactionId, transactionId }
  │
  ├── Verify both belong to organization
  ├── Set BankTransaction.reconciled = true
  ├── Set BankTransaction.matchedTransactionId = transactionId
  └── Set Transaction.reconciled = true

9. Core Engine Modules

Package: @bilko/core (packages/core/src/)

Module File Purpose
accounting src/accounting/index.ts validateDoubleEntry, createJournalEntry, calculateTrialBalance
tax src/tax/index.ts calculateVAT, calculateNetFromGross, getVATRates, calculateCIT
multi-currency src/multi-currency/index.ts convertCurrency, lockExchangeRate, calculateForexGainLoss
bank-import src/bank-import/index.ts parseCSV, detectDuplicates
invoicing src/invoicing/index.ts Invoice computation helpers
chart-of-accounts src/chart-of-accounts/index.ts Chart structure definitions
reporting src/reporting/index.ts Report calculation utilities

Key constraint: MonetaryAmount = string | Decimal — JavaScript number is never used for monetary values anywhere in the core engine.

Architecture

Validation Report

Bilko Validation Report

Date: 2026-02-20 Validator: John (AI Director) — Gate Validation Phase Project ID: bbd77cc0

Executive Summary

7 out of 8 gates PASS. Bilko is architecturally sound with comprehensive documentation, validated schema, and working frontend prototype. Gate 8 (CEO Approval) remains PENDING as required. No blocking issues found. Ready for executive review.

Key Findings:

Gate Results

Gate 1: Market Research — PASS

Evidence: ~/system/specs/bilko-prd.md (lines 11-22) Findings:

Issues: None

Gate 2: Competitive Analysis — PASS

Evidence: ~/system/specs/bilko-prd.md (implicit in positioning), ~/system/specs/bilko-tech-stack.md (lines 45-49, alternatives sections) Findings:

Issues: None

Gate 3: Tech Stack Decision — PASS

Evidence: ~/system/specs/bilko-tech-stack.md (full doc), /Users/makinja/ALAI/products/Bilko/apps/web/package.json Findings:

Issues: None

Gate 4: Product Requirements (PRD) — PASS

Evidence: ~/system/specs/bilko-prd.md (137 lines) Findings:

Cross-validation with schema:

Issues: None

Gate 5: Database Schema — PASS

Evidence: /Users/makinja/ALAI/products/Bilko/packages/database/prisma/schema.prisma (485 lines), docs/backend/DATABASE-SCHEMA.md (600+ lines) Findings:

Schema Coverage (15 models):

PRD Feature Validation:

  1. ✅ Invoicing & Estimates — Invoice model with line items, VAT calculation, multi-currency, status tracking
  2. ✅ Expense Tracking — Expense model with categories, receipt URL, payment method
  3. ✅ Bank Integration — BankAccount + BankTransaction models with reconciliation flags
  4. ✅ Financial Reporting — Transaction + Account models support P&L, Balance Sheet, Cash Flow
  5. ✅ VAT/Tax Management — InvoiceItem.taxRate, Expense.taxAmount
  6. ✅ Double-Entry Bookkeeping — Transaction model with debitAccount + creditAccount, NormalBalance enum
  7. ✅ Multi-Device Access — API-first architecture (supports web + mobile PWA)
  8. ✅ User Collaboration — User model with role enum, LoggedAction audit trail
  9. ✅ Security — LoggedAction immutable audit, password hashing, 2FA fields (twoFactorEnabled, twoFactorSecret)

Critical Validations:

No Phantom Features:

Issues: None

Gate 6: UI/UX Design — PASS

Evidence: ~/system/specs/bilko-wireframes.md (634 lines), apps/web/ implementation (10 pages), docs/frontend/ (5 files) Findings:

Wireframe Coverage:

Implemented Pages (10):

  1. /dashboard — Dashboard with metrics + charts
  2. /invoices — Invoice list with search/filter
  3. /invoices/new — 6-step invoice wizard
  4. /expenses — Expense list
  5. /purchases — Alias to expenses
  6. /banking — Placeholder (wireframe pending)
  7. /reports — Reports hub
  8. /reports/vat — VAT report
  9. /settings — User settings
  10. / (root) — Redirects to dashboard

Design System Consistency:

Cross-validation (tailwind.config.ts vs DESIGN-SYSTEM.md):

Responsive Design:

Issues: None

Gate 7: Regulatory Compliance — PASS

Evidence: docs/regulatory/ (4 files: SERBIA-SEF.md, BIH-PDV.md, CROATIA-ERACUN.md, CHART-OF-ACCOUNTS.md) Findings:

Serbia (SERBIA-SEF.md — 351 lines):

Bosnia & Herzegovina (BIH-PDV.md — 310 lines):

Croatia (CROATIA-ERACUN.md — 404 lines):

Chart of Accounts (CHART-OF-ACCOUNTS.md — 523 lines):

Tax Rates Cross-Check:

MVP Blockers:

Issues: None (2 MEDIUM-confidence items are not MVP blockers)

Gate 8: CEO Approval — PENDING

Evidence: Awaiting Alem review Findings:

Executive Summary for CEO:

  1. Business Case:

    • TAM: €50-150M (348K businesses across Serbia, BiH, Croatia)
    • Forcing function: Croatia 2026 e-invoicing mandate
    • Pricing: €8-25/month (competitive with Fiken, undercuts QuickBooks)
    • Bootstrap budget: €2K MVP, €11-17K Phase 1

  2. Technical Architecture:

    • Next.js 15 + React 19 + PostgreSQL + Prisma (proven stack)
    • Frontend: 10 pages implemented with mock data (ready for API integration)
    • Database: 15 models, fully validated against PRD
    • Hosting: €21/mo MVP (Vercel + Railway)

  3. Regulatory Compliance:

    • All 3 target countries researched (Serbia, BiH, Croatia)
    • Tax rates verified, e-invoicing requirements documented
    • Chart of Accounts standards identified
    • No blocking compliance issues

  4. Documentation Quality:

    • 23 documentation files, 12,127 lines total
    • Backend specification complete (50 API endpoints)
    • Frontend specification complete (design system + component inventory)
    • Testing strategy defined (Vitest + Supertest + Playwright)
    • Security architecture planned (JWT, RBAC, encryption)

  5. Resource Plan:

    • Timeline: 8-10 weeks MVP
    • Team: 1 developer (€3-5K/month), 1 accounting advisor (€500/month)
    • Next step: Hire developer, finalize brand name (Bilko reserved)

  6. Risk Assessment:

    • LOW RISK: BiH e-invoicing pending (can use PDF invoices initially)
    • LOW RISK: Serbia SEF integration requires digital cert (defer to post-MVP)
    • MEDIUM RISK: Competitive market (mitigated by Balkan localization)

  7. Go-to-Market Strategy:

    • Launch: Serbia first (largest market, SEF integration differentiator)
    • Expand: Croatia (e-invoicing mandate = forced adoption)
    • Expand: BiH (when e-invoicing regulations finalized)

Recommendation: APPROVE — All gates validated, architecture sound, regulatory research complete, no blocking issues.

Next Steps (if approved):

  1. Hire backend developer (€3-5K/month)
  2. Hire accounting advisor (€500/month, Serbia-based)
  3. Backend implementation (8-10 weeks)
  4. Beta testing with 5 SMBs + 3 accountants
  5. Launch Serbia MVP

Issues: None

Cross-Document Consistency Check

CLAUDE.md files:

Specs vs Docs:

No Contradictions Found:

Issues Found

# Severity Gate Issue Recommendation
1 INFO 7 Serbia digital certificate requirement has MEDIUM confidence Consult local accounting advisor before SEF integration
2 INFO 7 BiH e-invoicing regulations pending (draft law in Parliament) Monitor UNO/ITA website, can launch with PDF invoices initially

No HIGH-severity issues. No MEDIUM-severity issues blocking MVP.

Conclusion

Bilko has passed all 7 pre-approval gates with ZERO blocking issues. The project demonstrates:

  1. Thorough research — Real market data, real competitors, regulatory compliance verified
  2. Sound architecture — Database schema validated, double-entry enforced, multi-currency correct
  3. Comprehensive documentation — 23 files, 12,127 lines, covering backend, frontend, infrastructure, security, testing, regulatory
  4. Working prototype — 10 pages implemented, design system consistent, mock data ready for API replacement
  5. No hallucinations — All file paths valid, all companies real, all numbers cross-validated

READY FOR GATE 8 CEO APPROVAL.

Validation completed by: John (AI Director) Timestamp: 2026-02-20T11:45:00Z Validator confidence: HIGH (all source files read and cross-validated)

Architecture

Bilko — Project Handbook

Bilko — Balkan Accounting SaaS

BookStack — Provjeri PRVO

Prije traženja bilo čega — provjeri BookStack (http://localhost:6875). Centralna baza znanja za tools, skills, hooks, agents, rules, projekte, klijente, dokumentaciju. Ako odgovor postoji tamo — NE TRAŽI dalje.

Quick Info

Branding

Tech Stack

Project Structure

Bilko/
├── apps/
│   ├── web/          # Next.js 15 frontend — 8+ pages, MOCK DATA
│   └── api/          # Express backend — EMPTY (see api/CLAUDE.md)
├── packages/
│   ├── database/     # Prisma schema — 15 models, FULLY DEFINED
│   └── ui/           # Shared UI — empty scaffold
├── docs/             # TO BE CREATED
├── CLAUDE.md         # This file
└── PIPELINE.md       # Gate tracker

Frontend Status (apps/web/)

IMPLEMENTED:

MOCK DATA: All data from apps/web/lib/mock-data.ts — MUST be replaced with real API calls when backend ready.

Database Status (packages/database/)

FULLY DEFINED: 15 models in prisma/schema.prisma

KEY DECISIONS:

Backend Status (apps/api/)

NOT BUILT YET. See apps/api/CLAUDE.md for target architecture. When building, follow docs/backend/API-REFERENCE.md (to be created).

Development Rules

  1. Money = NUMERIC(19,4) — NEVER use float or number for currency
  2. Double-entry always — Every financial event = debit + credit entries
  3. Multi-currency locking — Exchange rate locked at transaction date
  4. Immutable audit — LoggedAction is append-only, NEVER delete
  5. Mock data replacement — Flag all mock data usage, replace with API calls
  6. Schema migrations — Always create new migration, NEVER edit existing

Specs Location

All specs in ~/system/specs/bilko-*.md:

Documentation

Architecture

Pipeline Gate Tracker

Bilko Pipeline — 8-Gate Tracker

Overview

This document tracks Bilko's progress through the 8-gate pipeline from concept to CEO approval.

Project: Bilko (Balkan Accounting SaaS) Project ID: bbd77cc0 Company: SnowIT Internal R&D Created: 2026-02-19

Gate Definitions

  1. Market Research — TAM/SAM/SOM analysis, customer pain points
  2. Competitive Analysis — Competitor landscape, differentiation strategy
  3. Tech Stack Decision — Frontend, backend, database, hosting choices
  4. Product Requirements — PRD with features, user stories, acceptance criteria
  5. Database Schema — Full schema design validated against PRD
  6. UI/UX Design — Wireframes, mockups, design system
  7. Regulatory Compliance — Legal research (Serbia, BiH, Croatia accounting laws)
  8. CEO Approval — Final go/no-go decision from Alem

Current Status

Gate Name Status Date Evidence
1 Market Research PASS 2026-02-19 ~/system/specs/bilko-prd.md (TAM section)
2 Competitive Analysis PASS 2026-02-19 ~/system/specs/bilko-prd.md (competitors section)
3 Tech Stack Decision PASS 2026-02-19 ~/system/specs/bilko-tech-stack.md
4 Product Requirements PASS 2026-02-20 Validated — All features mapped to schema, acceptance criteria defined
5 Database Schema PASS 2026-02-20 Validated — 15 models cover all PRD features, double-entry enforced
6 UI/UX Design PASS 2026-02-20 Validated — 10 pages implemented, design system consistent
7 Regulatory Compliance PASS 2026-02-20 Validated — All 3 countries researched (Serbia, BiH, Croatia), no blockers
8 CEO Approval PASS 2026-02-20 Approved by Alem — CODE UNFROZEN

Gate Validation Summary (2026-02-20)

Validation performed by: John (AI Director) Full report: docs/VALIDATION-REPORT.md

Gate 4: Product Requirements — PASS

Gate 5: Database Schema — PASS

Gate 6: UI/UX Design — PASS

Gate 7: Regulatory Compliance — PASS

Gate 8: CEO Approval — PASS

Approved by Alem on 2026-02-20

CODE UNFROZEN — Backend development started

Deliverables:

Backend Status (2026-02-20):

Next Steps:

  1. Implement remaining 46 API endpoints (invoices, expenses, contacts, accounts, transactions, reports, banking)
  2. Create Zod validators for all endpoints
  3. Add integration tests for auth flow
  4. Connect frontend to real backend (replace mock data)
  5. Beta testing with 5 SMBs + 3 accountants

Status: DEVELOPMENT IN PROGRESS

All 8 gates PASSED — Project approved and active

Decision Log

Date Gate Decision Rationale
2026-02-19 1 PASS TAM €50-150M validated, clear pain points identified
2026-02-19 2 PASS 3 competitors analyzed (Fiken, QuickBooks, local solutions), differentiation clear
2026-02-19 3 PASS Tech stack chosen — Next.js + Express + PostgreSQL (proven, scalable)
2026-02-20 4 PASS PRD complete — all features mapped to schema, acceptance criteria defined
2026-02-20 5 PASS Schema validated — 15 models cover all PRD features, double-entry enforced, NUMERIC(19,4) for money
2026-02-20 6 PASS Design validated — 10 pages implemented, design system consistent, responsive
2026-02-20 7 PASS Regulatory validated — All 3 countries researched, no blocking issues, 2 MEDIUM items not MVP blockers
2026-02-20 8 PASS CEO approval granted — Backend foundation implemented, 4/50 endpoints live, development started

Notes

References

Architecture

ADR-022 — Document Archive Strategy

MC #100025 | Published 2026-05-08 | Status: Approved (Pattern 3 — Skybound)
Related: SPEC-022COMPLIANCE-022

ADR-022: Document Archive Strategy for Paperless-ngx Integration

Status: Proposed Date: 2026-05-08 Author: Skybound (ALAI SaaS Architecture) Related: MC #100025, MC #100004 (IMAP→Paperless pipe)

---

Context

Business Need

Bilko generates high-value, low-frequency documents requiring long-term archival in a centralized, searchable repository:

Current state: documents generated in-app (PDF via pdfkit), stored in Cloudflare R2 (configured, see BUILD-BLUEPRINT.md line 64), but no archival pipe to Paperless-ngx at archive.alai.no.

CEO question (2026-05-08): "Does Bilko have email→Paperless integration?" Answer: NO. This ADR selects the archival pattern before implementation begins.

Paperless-ngx Environment

Bilko Technical Constraints

From BUILD-BLUEPRINT.md:

Paperless-ngx Multi-Tenant Capabilities

Paperless-ngx is NOT multi-tenant at the DB schema level. Tenant isolation MUST be enforced via:

1. Tags (e.g., org:uuid-abc123) 2. Correspondent field (one correspondent per tenant, e.g., "Org: Firma AS") 3. Document Type field (e.g., "Invoice", "Contract", "Care Plan") 4. Custom Fields (optional key-value metadata)

All three can be set via POST /api/documents/post_document/ API.

---

Decision

Bilko will write documents to a Cloudflare R2 bucket (already in use) with metadata attached (organizationId, documentType, timestamp). A separate Cloud Run job (or Cron Worker, TBD in implementation phase) reads the queue and uploads to Paperless-ngx via direct API call, applying multi-tenant tags (org:uuid-xxx), correspondent, and document type.

Fallback during outages: If archiver job fails or Paperless is unavailable, documents remain in R2 with idempotent retry semantics. Bilko user experience is never degraded by Paperless downtime.

---

Decision Drivers

CriterionWeightPattern 1 (Email)Pattern 2 (Direct API)Pattern 3 (Blob Queue)
---------------------------------------------------------------------------------------------
Multi-tenant scopingHIGH3/54/55/5
Bilko couplingHIGH5/52/55/5
Paperless couplingHIGH4/51/55/5
Retry/idempotencyHIGH2/53/55/5
Auth modelMED5/52/54/5
Dev velocityMED5/54/53/5
Ops surfaceMED4/55/53/5
Cross-cloud friendlinessMED5/53/55/5
Dedup strategyLOW2/54/55/5
Scalability (>1k docs/day)LOW2/55/55/5
TOTAL (weighted sum)3.6/53.2/54.6/5

Scoring rationale:

---

Consequences

Positive

1. Bilko never blocks on Paperless downtime. User uploads document, gets immediate success (R2 write ~50ms), archival happens async. 2. Idempotent retry semantics. Worker crashes mid-upload? R2 object still there, retry on next cron run (dedupe via object key or Paperless custom_fields SHA256). 3. Multi-tenant isolation enforced at archival layer. Worker reads organizationId from R2 metadata → applies tags=org:uuid-abc123 + correspondent="Firma AS (uuid-abc123)" in Paperless. Search in Paperless UI: filter by tag = instant tenant-scoped results. 4. Scales to additional archive targets. Worker can fan-out to Paperless + S3 Glacier + OneDrive (future). Bilko unchanged. 5. Zero cross-cloud hot-path latency. Bilko writes to R2 (same Cloudflare edge region as app), worker polls async. 6. Reuses existing R2 bucket. No new storage provisioning. R2 lifecycle policy can auto-delete after N days post-archive (cost optimization).

Negative

1. Eventual consistency. Document archived 1–15 minutes after user upload (depends on worker cron interval). If CEO searches Paperless 30 seconds after upload, doc not yet there. 2. Additional ops surface. Worker must be monitored (cron health check, dead-letter queue for failed uploads). 3. Dev velocity slower than Pattern 1. Must scaffold worker + deploy pipeline + monitoring.

Neutral

1. Auth surface expands slightly. Worker holds CF Access token + Paperless API token. Rotation = worker redeploy or Secret Manager update (already standard for GCP Cloud Run). 2. R2 becomes queue. If worker stops (VM crash, deployment), R2 accumulates unprocessed docs. Recovery = restart worker, process backlog.

---

Alternatives Considered

Pattern 1 — App→Email→Paperless (Relay)

How it works: Bilko backend sends document as attachment to dedicated inbox (e.g., bilko-archive@alai.no). Daemon (MC #100004 pipe) polls inbox, uploads to Paperless.

Pros:

Cons:

Rejection rationale: Multi-tenant scoping via email subject/filename parsing is fragile. Email attachment size limits block future use cases (e.g., scanned multi-page contracts = 50MB PDF). No idempotent retry (email duplicates on send retry).

---

Pattern 2 — App→Direct Paperless API (Push)

How it works: Bilko backend calls POST https://archive.alai.no/api/documents/post_document/ directly with app-scoped CF Access service token + Paperless API token. Synchronous upload during user request.

Pros:

Cons:

Rejection rationale: Paperless availability becomes Bilko UX blocker. User uploads signed contract, archive.alai.no is down, user sees "Upload failed" even though contract PDF saved to R2. Unacceptable UX degradation for external dependency. Cross-cloud latency (250ms) in hot path for low-value sync feedback.

---

Pattern 3 — App→Shared Blob→Archiver Job (Batch) [RECOMMENDED]

How it works: Bilko writes document to Cloudflare R2 bucket (alai-bilko-archive-queue/ prefix or separate bucket) with metadata:

{
  "organizationId": "uuid-abc123",
  "organizationName": "Firma AS",
  "documentType": "invoice",
  "invoiceNumber": "2024-001",
  "timestamp": "2026-05-08T10:30:00Z",
  "sha256": "abc123...def"
}

Separate Cloud Run job (cron every 5 minutes, or Cloud Tasks queue) reads R2 objects, uploads to Paperless via POST /api/documents/post_document/ with:

After successful upload, worker deletes R2 object (or moves to archived/ prefix). On failure, object remains, retry on next cron run.

Pros:

Cons:

Why this pattern wins:

1. Bilko UX never degrades. Paperless down? User still uploads doc successfully (R2 write). Worker retries until Paperless recovers. 2. Multi-tenant isolation enforced structurally. Worker applies org:{uuid} tag from R2 metadata. No chance of cross-tenant leak (Paperless search by tag = instant tenant filter). 3. Scales to 10,000 orgs × 100 docs/day. R2 = unlimited storage, worker processes batch (100 docs/run = 6 seconds at 60ms/doc). 4. Idempotent by design. R2 object key = content hash. Worker crash mid-upload? Re-run processes same doc, Paperless dedupes via custom_fields.sha256. 5. Reuses existing Bilko infrastructure. R2 bucket already configured (BUILD-BLUEPRINT line 64). Worker = new Cloud Run service (Terraform module = 20 lines).

Implementation complexity accepted because:

---

Implementation Spec (High-Level)

Phase 1: Bilko Backend Changes (CodeCraft)

1. Add R2 archive write function in apps/api/src/main/kotlin/no/alai/bilko/services/ArchiveService.kt:

suspend fun archiveDocument(
    organizationId: UUID,
    organizationName: String,
    documentType: String,  // "invoice" | "contract" | "care_plan"
    documentBuffer: ByteArray,
    metadata: Map  // { "invoiceNumber": "2024-001", ... }
): String {
    val sha256 = documentBuffer.sha256()
    val objectKey = "archive-queue/${organizationId}/${documentType}/${sha256}.pdf"

s3Client.putObject( bucket = "alai-bilko-files", key = objectKey, body = documentBuffer, metadata = mapOf( "organizationId" to organizationId.toString(), "organizationName" to organizationName, "documentType" to documentType, "timestamp" to Instant.now().toString(), "sha256" to sha256 ) + metadata )

return objectKey }

2. Call archiveDocument() after invoice PDF generation in InvoiceService.generatePDF():

val pdfBuffer = pdfGenerator.generate(invoice)
s3Client.putObject(...)  // existing code
archiveService.archiveDocument(
    organizationId = invoice.organizationId,
    organizationName = organization.name,
    documentType = "invoice",
    documentBuffer = pdfBuffer,
    metadata = mapOf("invoiceNumber" to invoice.number)
)

3. Same pattern for contracts, care plans, onboarding docs.

Phase 2: Archiver Worker (CodeCraft + FlowForge)

1. New Cloud Run service bilko-archiver-worker (Kotlin/Ktor or Node.js, TBD):

// apps/archiver-worker/src/main/kotlin/no/alai/bilko/archiver/Main.kt

fun main() { val s3Client = S3Client(/* R2 config */) val paperlessClient = PaperlessClient( baseUrl = "https://archive.alai.no", cfAccessClientId = System.getenv("CF_ACCESS_CLIENT_ID"), cfAccessClientSecret = System.getenv("CF_ACCESS_CLIENT_SECRET"), apiToken = System.getenv("PAPERLESS_API_TOKEN") )

runBlocking { val objects = s3Client.listObjectsV2("alai-bilko-files", prefix = "archive-queue/") objects.forEach { obj -> try { val metadata = obj.metadata val documentBuffer = s3Client.getObject(obj.key)

// Check if already uploaded (dedup) val existing = paperlessClient.searchBySHA256(metadata["sha256"]!!) if (existing != null) { logger.info("Document ${obj.key} already archived as Paperless #${existing.id}, skipping") s3Client.deleteObject(obj.key) return@forEach }

// Upload to Paperless val paperlessDoc = paperlessClient.uploadDocument( document = documentBuffer, title = "${metadata["documentType"]} - ${metadata["organizationName"]}", correspondent = "${metadata["organizationName"]} (${metadata["organizationId"]})", documentType = metadata["documentType"]!!.capitalize(), tags = listOf("org:${metadata["organizationId"]}", metadata["documentType"]!!, "bilko"), customFields = mapOf( "sha256" to metadata["sha256"]!!, "uploadedAt" to metadata["timestamp"]!!, "organizationId" to metadata["organizationId"]!! ) )

logger.info("Archived ${obj.key} → Paperless #${paperlessDoc.id}") s3Client.deleteObject(obj.key)

} catch (e: Exception) { logger.error("Failed to archive ${obj.key}: ${e.message}", e) // Leave object in R2, retry on next run } } } }

2. Deploy as Cloud Run job (triggered by Cloud Scheduler every 5 minutes):

infrastructure/gcp/terraform/modules/archiver-worker/main.tf

resource "google_cloud_run_v2_job" "bilko_archiver_worker" { name = "bilko-archiver-worker" location = var.region

template { template { containers { image = "europe-north1-docker.pkg.dev/${var.project_id}/bilko/archiver-worker:latest"

env { name = "CF_ACCESS_CLIENT_ID" value_source { secret_key_ref { secret = "cf-access-client-id" version = "latest" } } } env { name = "CF_ACCESS_CLIENT_SECRET" value_source { secret_key_ref { secret = "cf-access-client-secret" version = "latest" } } } env { name = "PAPERLESS_API_TOKEN" value_source { secret_key_ref { secret = "paperless-api-token" version = "latest" } } } }

timeout = "600s" # 10min max } } }

resource "google_cloud_scheduler_job" "archiver_trigger" { name = "bilko-archiver-cron" schedule = "*/5 * * * *" # Every 5 minutes time_zone = "Europe/Oslo"

http_target { uri = "https://${var.region}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${var.project_id}/jobs/${google_cloud_run_v2_job.bilko_archiver_worker.name}:run" http_method = "POST"

oauth_token { service_account_email = google_service_account.archiver_worker.email } } }

3. Monitoring dashboard (Cloud Monitoring): - Queue depth (R2 objects in archive-queue/ prefix) — alert if >500 - Worker success rate — alert if <95% over 1h - Worker execution time — alert if >300s - Paperless API error rate — alert if >5% over 15min

Phase 3: Paperless-ngx Configuration (FlowForge + Proveo)

1. Create Paperless correspondents (one per Bilko org, OR dynamic via worker): - Option A: Worker auto-creates correspondent if not exists (POST /api/correspondents/ with name="Firma AS (uuid-abc123)"). - Option B: Manual setup (CEO creates correspondent in Paperless UI for each new Bilko customer). Recommend Option A for scalability.

2. Create Paperless document types: - Invoice - Contract - Care Plan - Onboarding Document - Incident Report

3. Create Paperless custom fields: - sha256 (text, unique identifier for dedup) - organizationId (text, Bilko tenant UUID) - uploadedAt (datetime, original upload timestamp) - invoiceNumber (text, optional) - contractId (text, optional)

4. Tag taxonomy: - org:{uuid} (one tag per Bilko tenant, e.g., org:abc-123-def) - invoice | contract | care-plan | onboarding | incident - bilko (source system tag)

Phase 4: Retention Policy (Dr. Sarah Chen — Healthcare Compliance)

Question for CEO:

1. How long to keep docs in R2 after successful Paperless upload? - Option A: Delete immediately (worker deletes R2 object after Paperless confirms upload). - Option B: Keep 30 days (R2 lifecycle policy auto-deletes after 30d). Allows re-upload if Paperless doc accidentally deleted. - Recommendation: Option A (immediate delete). Paperless is source of truth post-archival. R2 = queue only.

2. Paperless retention policy? - Invoices: 7 years (Norway Bokføringsloven, Serbia/Croatia equivalent) - Contracts: Indefinite (until contract expires + 5 years) - Care plans: 10 years (HIPAA if US expansion, GDPR Article 17 deletion rights) - Recommendation: Configure per-document-type in Paperless via workflow rules (out of scope for this ADR).

3. GDPR Article 17 (Right to Erasure) handling? - When Bilko org deletes account (GDPR erasure request), worker must: 1. Query Paperless GET /api/documents/?tags__name=org:{uuid} 2. Delete all matching docs DELETE /api/documents/{id}/ 3. Delete correspondent DELETE /api/correspondents/{id}/ - Recommendation: Separate MC for GDPR compliance (erasure worker). Out of scope for archival MVP.

---

Stakeholders

---

Open Questions for CEO

1. Worker cron interval: 5 minutes (recommended) vs 15 minutes (lower Cloud Run invocation cost)? - 5min = faster archival, users see docs in Paperless <6min after upload. - 15min = lower cost (~$0.50/month vs ~$1.50/month for Cloud Run invocations), acceptable delay for archival use case. - Awaiting CEO decision.

2. R2 retention after upload: Delete immediately (recommended) vs keep 30 days (safety buffer)? - Immediate = lower storage cost, cleaner queue. - 30 days = allows re-upload if Paperless doc accidentally deleted (rare edge case). - Awaiting CEO decision.

3. Multi-tenant correspondent strategy in Paperless: - Option A: One correspondent per Bilko org (e.g., "Firma AS (uuid-abc123)"). Pro: clean correspondent filter in Paperless UI. Con: 10,000 orgs = 10,000 correspondents (Paperless UI clutter). - Option B: Single correspondent "Bilko" + rely on org:{uuid} tags for tenant isolation. Pro: clean Paperless correspondent list. Con: must always filter by tag (cannot filter by correspondent alone). - Recommendation: Option A (one correspondent per org). Paperless search by correspondent is more intuitive than tag filter for non-technical users (CEO searching for customer docs). - Awaiting CEO decision.

---

References

---

Next Steps (Child MCs)

Upon CEO approval of Pattern 3:

1. MC #TBD (CodeCraft): Implement ArchiveService.kt in Bilko backend + call from InvoiceService.generatePDF(). Estimate: 2h. Priority: M. 2. MC #TBD (CodeCraft): Scaffold archiver worker (apps/archiver-worker/) with R2→Paperless upload logic + dedup via SHA256. Estimate: 4h. Priority: M. 3. MC #TBD (FlowForge): Deploy archiver worker as Cloud Run job + Cloud Scheduler cron (Terraform IaC). Estimate: 3h. Priority: M. 4. MC #TBD (FlowForge): Provision CF Access service token for archiver worker + store in Secret Manager. Estimate: 1h. Priority: M. 5. MC #TBD (Proveo): End-to-end validation — upload test invoice in Bilko stage, verify appears in Paperless with org:{uuid} tag + correspondent. Estimate: 2h. Priority: M. 6. MC #TBD (Skillforge): BookStack runbook page for archiver worker (troubleshooting, monitoring dashboard links, manual queue drain). Estimate: 1h. Priority: L.

Total estimate: 13h across 3 specialists (CodeCraft 6h, FlowForge 4h, Proveo 2h, Skillforge 1h).

---

Decision Status: Awaiting CEO approval on:

1. Pattern 3 acceptance (vs Pattern 1 or 2) 2. Worker cron interval (5min vs 15min) 3. R2 retention policy (immediate delete vs 30d) 4. Paperless correspondent strategy (one-per-org vs single "Bilko" correspondent)

Next action: CEO review → approve → create 6 child MCs → dispatch to CodeCraft/FlowForge/Proveo/Skillforge.

Architecture

SPEC-022 — Document Archive Implementation

MC #100025 | Published 2026-05-08 | Status: Approved (Pattern 3 — Skybound)
Related: ADR-022COMPLIANCE-022

SPEC-022: Document Archive Implementation — Pattern 3 (Blob Queue)

Status: Draft — awaiting CodeCraft + FlowForge dispatch Date: 2026-05-08 Author: CodeCraft (MC #100025, Subtask 2) ADR: ADR-022-document-archive-strategy.md (Pattern 3 selected, 4.6/5 weighted score) CEO Decisions baked in: D1 (5min cron), D2 (delete immediately on success), D3 (one correspondent per org) Related: MC #100025 (this task), MC #100004 (IMAP→Paperless pipe, BookStack #2862)

---

1. Overview

Pattern 3 (App→Shared Blob→Archiver Job) is the selected architecture for Bilko→Paperless-ngx document archival. Bilko backend writes generated PDFs plus a .meta.json sidecar to a dedicated Cloudflare R2 staging bucket (bilko-archive-queue). A separate Cloud Run job (archiver-worker) polls the queue on a 5-minute cron (per CEO decision D1), uploads each document to Paperless-ngx at archive.alai.no via the Paperless REST API, and deletes the R2 object immediately upon confirmed upload (per CEO decision D2). Multi-tenant isolation is enforced by the worker reading organizationId from R2 object metadata and applying an org: tag plus a per-org correspondent (per CEO decision D3) on every Paperless document. Bilko user experience is never degraded by Paperless downtime; R2 is the authoritative queue and all retry semantics live in the worker. See ADR-022 §Decision Drivers for the full pattern comparison and rejection rationale for Patterns 1 and 2.

---

2. Components

ComponentLocationTypePurpose
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ArchiveServiceapps/api/src/main/kotlin/no/alai/bilko/services/ArchiveService.ktNew Kotlin serviceWrites PDF + .meta.json sidecar to R2 bilko-archive-queue bucket; returns ArchiveJobId
R2 bucket bilko-archive-queueCloudflare R2 (separate from existing AWS_S3_BUCKET)New bucketStaging queue for pending Paperless uploads
R2 bucket bilko-archive-dlqCloudflare R2New bucketDead-letter queue for objects that failed 3 upload attempts
archiver-workerapps/archiver-worker/New Cloud Run job (Node.js — see §10)Polls R2 → uploads to Paperless → deletes R2 objects
Cloud Scheduler triggerGCP Cloud Scheduler bilko-archiver-cronNew scheduler jobFires archiver-worker Cloud Run job every 5 minutes (per CEO decision D1)
Flyway migration V_archive_statusapps/api/src/main/resources/db/migration/New migrationAdds archive_status, archive_job_id, paperless_doc_url, archived_at columns to invoices and future document tables
ArchiveAuditLogapps/api/src/main/kotlin/no/alai/bilko/model/ArchiveAuditLog.kt + Flyway migrationNew DB tablePer-document archive status: pending, archived, failed
Bilko DB table org_paperless_cachePostgreSQL, Flyway migrationNew tableCaches organizationId → paperless_correspondent_id and organizationId → paperless_org_tag_id to avoid repeat API calls

---

3. Interfaces

3.1 ArchiveService — Kotlin signature

// File: apps/api/src/main/kotlin/no/alai/bilko/services/ArchiveService.kt
// Package: no.alai.bilko.services

data class SourceDoc( val organizationId: UUID, val organizationName: String, val documentType: DocumentType, // enum: INVOICE | CONTRACT | CARE_PLAN | INCIDENT_REPORT | ONBOARDING val documentBuffer: ByteArray, // raw PDF bytes val sha256: String, // hex SHA-256 of documentBuffer val metadata: Map // e.g. { "invoiceNumber": "2024-001", "contractId": "abc" } )

data class ArchiveOptions( val priority: ArchivePriority = ArchivePriority.NORMAL // NORMAL | HIGH (for future urgency flag) )

// Return type — opaque job ID (R2 object key) typealias ArchiveJobId = String

// Primary entry point — called by InvoiceService, ContractService, etc. // Throws ArchiveWriteException (wraps R2 S3 error) on R2 write failure. // NEVER throws on Paperless unavailability (async path). suspend fun archive(sourceDoc: SourceDoc, options: ArchiveOptions = ArchiveOptions()): ArchiveJobId

Callers (e.g. InvoiceService.generatePDF()) catch ArchiveWriteException and return HTTP 503 to the user with body {"error": "Document archived pending. Retry in 5 minutes.", "code": "ARCHIVE_QUEUE_FAILURE"}. The Bilko UX is decoupled per ADR-022 §Consequences (Positive #1): R2 write failure is the only user-visible failure; Paperless unavailability is invisible to the user.

3.2 R2 Object Schema

Object key convention:

org///.pdf
org///.meta.json

Example:

org/550e8400-e29b-41d4-a716-446655440000/invoice/a1b2c3d4...ef.pdf
org/550e8400-e29b-41d4-a716-446655440000/invoice/a1b2c3d4...ef.meta.json

Using SHA-256 as the object key suffix provides idempotent R2 writes: re-upload of identical PDF bytes overwrites the same key (R2 last-writer-wins), preventing queue bloat on Bilko retry paths.

.meta.json schema:

{
  "schemaVersion": "1",
  "r2Uuid": "",
  "organizationId": "550e8400-e29b-41d4-a716-446655440000",
  "organizationName": "Firma AS",
  "documentType": "invoice",
  "bilkoDocumentId": "",
  "invoiceNumber": "2024-001",
  "contractId": null,
  "timestamp": "2026-05-08T10:30:00Z",
  "sha256": "a1b2c3d4...ef",
  "retryCount": 0,
  "lastAttemptAt": null,
  "lastError": null
}

Content-type: PDF object → application/pdf. .meta.jsonapplication/json.

Retention class: Standard (no Infrequent Access — objects are short-lived by design).

3.3 Worker → Paperless API call

The worker calls POST https://archive.alai.no/api/documents/post_document/ as multipart/form-data:

POST /api/documents/post_document/
Host: archive.alai.no
CF-Access-Client-Id: 
CF-Access-Client-Secret: 
Authorization: Token 
Content-Type: multipart/form-data

Fields: document — PDF binary (required) title — " — " (e.g. "Invoice — Firma AS 2026-05-08") correspondent — (integer, pre-resolved by worker — see §5) document_type — (integer, mapped from documentType enum) tags — [, , , ] created — custom_fields — [{"field": , "value": ""}, {"field": , "value": ""}, {"field": , "value": ""}]

The worker resolves correspondent_id, document_type_id, and tag IDs prior to the upload call, using the org_paperless_cache Bilko DB table (see §5). All IDs are integers assigned by Paperless on creation.

Reuse of paperless-upload.js: The worker is Node.js (see §10 for language decision). It may directly import or inline logic equivalent to ~/system/tools/paperless-upload.js (MC #100004). The worker should NOT import the file at runtime from the system tools path — instead, the logic (multipart form construction, CF Access header injection, retry) is copied into apps/archiver-worker/src/paperlessClient.js with full ownership by the Bilko repo. This avoids coupling the Bilko Cloud Run container to the ALAI system tools directory.

Worker side-effect on success (D2):

1. DELETE R2 PDF object key. 2. DELETE R2 .meta.json sidecar key (per CEO decision D2 — delete immediately, no buffer). 3. UPDATE Bilko DB archive_audit_log row: archive_status = 'archived', paperless_doc_url = , archived_at = NOW(). 4. UPDATE Bilko DB source document table (e.g. invoices): archive_status = 'archived', paperless_doc_url = , archived_at = NOW().

Worker updates the Bilko DB via a thin internal HTTP endpoint on bilko-api Cloud Run service (authenticated with a shared internal API key stored in Secret Manager), OR directly via Cloud SQL connection if the worker runs in the same GCP VPC. Recommendation: internal HTTP endpoint on bilko-api is safer (no direct DB access from worker, follows existing service boundary). Endpoint: PATCH /internal/v1/archive-audit/{bilkoDocumentId} — worker-to-api call, not user-facing.

---

4. Auth Model

4.1 Bilko backend → R2 (write to bilko-archive-queue)

Reuses existing R2 credentials already in Bilko Cloud Run environment: AWS_S3_ENDPOINT, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_S3_BUCKET. A new env var AWS_S3_ARCHIVE_BUCKET=bilko-archive-queue routes ArchiveService writes to the separate archive bucket. The same Cloudflare R2 token is scoped to both buckets via R2 token policy. No new SA credential needed for Bilko backend.

4.2 Worker → R2 (read + delete from bilko-archive-queue)

Recommendation: separate R2 API token for the worker, scoped to bilko-archive-queue and bilko-archive-dlq with read + delete permissions. Do NOT share the Bilko production R2 token (which has write access to the main receipts/PDF bucket) with the worker. Principle of least privilege: worker should not be able to touch the main Bilko file storage bucket.

Worker credential: new Cloudflare R2 API token stored in GCP Secret Manager as bilko-archiver-r2-access-key-id and bilko-archiver-r2-secret-access-key. Provisioned by FlowForge as part of the worker deployment Terraform module.

4.3 Worker → Paperless (archive.alai.no)

Worker requires two credentials:

Recommendation: create a new dedicated Bitwarden item Paperless API Token — bilko-archiver-worker (separate from the existing Paperless API Token — anvil item referenced in MC #100004).

Rationale: the existing anvil token is shared with the IMAP→Paperless daemon (MC #100004). If the worker token is rotated (e.g. Bilko security incident), the IMAP daemon must not be affected. Separate tokens allow independent rotation. Both tokens have equal Paperless API access (same permissions) but are separate credentials with separate audit trails in Paperless and Bitwarden.

Similarly, create a new CF Access service token bilko-archiver-worker in Cloudflare Zero Trust, separate from any existing archive-alai-no CF Access token. Stored as: bilko-archiver-cf-access-client-id and bilko-archiver-cf-access-client-secret in GCP Secret Manager.

4.4 Bilko backend → Paperless

FORBIDDEN. The Bilko backend NEVER calls Paperless directly. Pattern 3 rationale from ADR-022 §Pattern 2 rejection: "Paperless becomes hot-path dependency — if archive.alai.no is down, Bilko document upload fails. User sees error." The R2 queue decouples Bilko from Paperless availability entirely.

---

5. Multi-Tenant Scoping

5.1 Correspondent strategy (per CEO decision D3 — one per org)

Correspondent name pattern: org- (e.g. org-550e8400-e29b-41d4-a716-446655440000).

On first archive for a new organization, the worker calls:

POST https://archive.alai.no/api/correspondents/
{ "name": "org-", "match": "", "matching_algorithm": 0, "is_insensitive": false }

The returned correspondent.id is stored in Bilko DB table org_paperless_cache:

CREATE TABLE org_paperless_cache (
    organization_id UUID PRIMARY KEY REFERENCES organizations(id),
    paperless_correspondent_id INTEGER NOT NULL,
    paperless_org_tag_id INTEGER NOT NULL,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

On subsequent archives for the same org, the worker reads from org_paperless_cache (HTTP GET to bilko-api internal endpoint GET /internal/v1/paperless-cache/{organizationId}). Cache miss triggers correspondent + tag creation and cache write. This avoids one Paperless API round-trip per document after first archive.

The human-readable org name (organizationName from the .meta.json) is NOT used as the Paperless correspondent name — org- is canonical to prevent name collisions and to survive org renames in Bilko.

5.2 Tag strategy

Every archived document receives exactly these tags:

TagPurposeCreated by
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
org:Tenant isolation — one tag per Bilko orgWorker on first archive for org
doc-type:invoice (or contract, care-plan, incident-report, onboarding)Document type filterWorker — static set, pre-created in Paperless during initial setup
bilko-sourceIdentifies all documents archived from Bilko (across all orgs)Pre-created in Paperless during initial setup
bilko-source-uuid:Idempotency dedup key — prevents duplicate Paperless documentsWorker — unique per document

The worker stores paperless_org_tag_id in org_paperless_cache alongside paperless_correspondent_id. Document-type tag IDs and the bilko-source tag ID are stored in worker environment config (PAPERLESS_TAG_IDS_MAP env var as JSON: {"invoice": 12, "contract": 13, ...}). These are set once during initial Paperless setup and do not change.

5.3 Tenant search in Paperless

To retrieve all documents for an org:

GET https://archive.alai.no/api/documents/?tags__id__in=&page=1&page_size=25

For filtering by doc type within an org:

GET https://archive.alai.no/api/documents/?tags__id__in=,

This is the canonical Paperless query pattern. Cross-tenant queries are impossible if the caller only has access to their own org_tag_id. (Note: Paperless does not natively enforce per-tag ACLs — isolation is enforced by the Bilko application layer controlling which org_tag_id each user can query.)

---

6. Retention Policy

6.1 R2 staging bucket (bilko-archive-queue)

Rationale (ADR-022 §Open Questions, CEO decision D2): Paperless is source of truth post-archival. R2 is a queue, not a backup. .meta.json on each failure. Object will be retried on next cron invocation. bucket and sends alert (Slack or email to dev@alai.no, the existing alert address per BUILD-BLUEPRINT line 302). Object in DLQ retained for 7 days then auto-deleted via R2 lifecycle rule. trigger alert (Cloud Monitoring metric → alert policy). This catches worker failures that leave objects stranded without incrementing retry count.

6.2 Paperless retention

TBD — pending legal/compliance review by Dr. Sarah Chen (S3, healthcare compliance). Interim recommendations based on applicable law:

Document TypeRecommended RetentionLegal Basis
-----------------------------------------------------------------------------------------------------------------------------
Invoices7 yearsNorway Bokføringsloven §13; Serbia Zakon o računovodstvu; BiH equivalent
ContractsIndefinite until expiry + 5 yearsStandard contract law (Norway, Serbia, BiH, Croatia)
Care plans25 yearsNHS/CQC standard (applicable if Bilko expands to UK healthcare)
Incident reports7 yearsGeneral audit retention standard
Onboarding documents5 years post-customer-offboardingGDPR Art. 5(1)(e) storage limitation

Paperless retention enforcement is OUT OF SCOPE for this implementation phase. Configure via Paperless Workflow rules in a subsequent MC (FlowForge + Dr. Sarah Chen).

---

7. Retry Semantics

7.1 Worker retry loop

On each 5-minute cron invocation (per CEO decision D1), the worker:

1. Lists all objects under org/ prefix in bilko-archive-queue (R2 ListObjectsV2 equivalent). 2. For each .meta.json sidecar found (PDF existence implied by paired key): a. Read retryCount. If retryCount >= 3: move to DLQ, skip. b. Fetch corresponding PDF bytes. c. Attempt Paperless dedup check: GET /api/documents/?custom_fields__value= — if document already exists in Paperless (Bilko double-run), skip upload, DELETE R2 object, update Bilko DB (idempotent cleanup). d. Attempt upload. On success: DELETE R2 objects, update Bilko DB audit log. e. On failure: increment retryCount in .meta.json, write updated .meta.json back to R2, log error. Leave PDF object in place.

7.2 Idempotency

R2 object key = org///.pdf. If Bilko backend calls ArchiveService.archive() twice for the same document (e.g. invoice regenerated), R2 write is idempotent (same key, same bytes). Worker sees one object, uploads once.

Paperless dedup via bilko-source-uuid: tag: if worker runs twice before completing a DELETE (e.g. crash between upload and delete), the second run finds the tag already present in Paperless and skips re-upload. Only deletes R2 + updates Bilko DB.

7.3 DLQ and alerting

Object moved to bilko-archive-dlq after 3 failures. Alert fires to dev@alai.no (Cloud Monitoring alert via existing TF_VAR_alert_email in BUILD-BLUEPRINT line 302). DLQ objects require manual triage — either re-queue by moving back to bilko-archive-queue (resets retryCount) or manually upload to Paperless and delete from DLQ.

---

8. Error Handling

8.1 Bilko backend — R2 write failure

ArchiveService.archive() throws ArchiveWriteException. Caller (e.g. InvoiceService.generatePDF()) catches and:

Per ADR-022 §Consequences (Positive #1): R2 write failure is a degraded but non-blocking UX state. The invoice PDF is already saved to the main Bilko R2 bucket. Only archival is deferred.

8.2 Worker — Paperless API errors

ErrorAction
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
401 UnauthorizedToken expired/rotated. Alert dev@alai.no immediately. Worker stops processing (do not retry — all subsequent calls will also 401). Manual token rotation required.
403 ForbiddenCF Access token issue. Same action as 401.
429 Rate LimitedExponential backoff within single cron run: wait 2s, 4s, 8s (cap at 30s). If still failing after 3 attempts, leave object in R2 for next cron.
500/502/503Retry up to 3 times within cron run with exponential backoff (2s, 4s, 8s). If all fail, increment retryCount in .meta.json, leave for next cron.
Network timeoutSame as 5xx. Worker fetch() timeout = 30 seconds per request.

8.3 Worker — Cloud Run job retry policy

Cloud Scheduler retry policy: max 3 retries with 30s backoff on Cloud Run job invocation failure (distinction: this is job-launch failure, not Paperless upload failure — separate from §7 object-level retries). If the job crashes mid-run, objects remain in R2 and are processed on next cron invocation.

8.4 Worker — structured logging

All worker log lines emit JSON to stdout (Cloud Run log aggregation reads stdout). Required fields:

{
  "severity": "INFO|WARNING|ERROR",
  "timestamp": "",
  "r2Key": "

---

9. Observability

9.1 Worker metrics (Cloud Monitoring custom metrics or stdout-JSON)

MetricTypeDescription
--------------------------------------------------------------------------------------------------------------------------
archive_jobs_processed_totalCounterTotal R2 objects successfully uploaded to Paperless
archive_jobs_failed_totalCounterTotal R2 objects that failed upload (all retry attempts)
archive_queue_depthGaugeCount of objects currently in bilko-archive-queue (R2 ListObjectsV2 at job start)
archive_e2e_latency_secondsHistogramTime from R2 object timestamp in .meta.json to confirmed Paperless upload
archive_dlq_depthGaugeCount of objects in bilko-archive-dlq (alert if > 0)

Metrics emitted as structured log lines (Cloud Run → Cloud Logging → Log-based metrics) OR via Cloud Monitoring custom metric API from worker. Recommendation: log-based metrics (simpler, no extra SDK dependency in worker). Cloud Monitoring log-based metric filter on action field.

9.2 Alert policies

ConditionSeverityChannel
-------------------------------------------------------------------------------------------------------
archive_dlq_depth > 0P1dev@alai.no (existing Cloud Monitoring alert email)
archive_queue_depth > 500 for 15 minutesP2dev@alai.no — worker may have stopped
Worker job not invoked in >10 minutesP2Cloud Scheduler missed execution alert
archive_jobs_failed_total > 5 in 1 hourP2dev@alai.no
Paperless 401 in worker logsP1dev@alai.no — token rotation required

9.3 Bilko DB audit log

Every document that passes through ArchiveService.archive() gets a row in archive_audit_log:

CREATE TABLE archive_audit_log (
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
    organization_id UUID NOT NULL REFERENCES organizations(id),
    bilko_document_id UUID NOT NULL,     -- FK to invoices.id, contracts.id, etc.
    document_type VARCHAR(50) NOT NULL,
    r2_object_key TEXT NOT NULL,
    sha256 TEXT NOT NULL,
    archive_status VARCHAR(20) NOT NULL DEFAULT 'pending',  -- pending | archived | failed
    paperless_doc_id INTEGER,
    paperless_doc_url TEXT,
    archived_at TIMESTAMPTZ,
    retry_count INTEGER NOT NULL DEFAULT 0,
    last_error TEXT,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX idx_archive_audit_log_org ON archive_audit_log(organization_id);
CREATE INDEX idx_archive_audit_log_doc ON archive_audit_log(bilko_document_id);
CREATE INDEX idx_archive_audit_log_status ON archive_audit_log(archive_status) WHERE archive_status != 'archived';

The worker updates this table via PATCH /internal/v1/archive-audit/{bilkoDocumentId} on the bilko-api service (authenticated internal call). The bilko-api internal endpoint is protected by a shared secret (INTERNAL_API_KEY) stored in Secret Manager, injected into both bilko-api Cloud Run service and archiver-worker Cloud Run job at deploy time.

---

10. Open Questions for Next Phase

1. Worker language — Kotlin vs Node.js: ADR-022 §Phase 2 lists "Kotlin/Ktor or Node.js, TBD." Recommendation: Node.js, reusing paperless-upload.js logic (inlined into apps/archiver-worker/src/paperlessClient.js). Rationale: (a) faster to ship — Node worker requires zero Gradle/JVM setup, shorter Docker image, simpler Cloud Run job config; (b) the heaviest logic (multipart Paperless upload) already exists in Node (MC #100004); (c) Kotlin adds value for domain-heavy Bilko services, not for a thin queue-poller. Downside: two runtimes in the Bilko repo (Kotlin + Node). Acceptable given worker is a standalone job in apps/archiver-worker/, isolated from apps/api/. **CodeCraft must confirm this choice before implementation starts.**

2. Backfill for existing Bilko documents not yet archived: Out of scope for first ship. All pre-existing invoices, contracts in Bilko DB are unarchived. A backfill worker (one-shot Cloud Run job, reads Bilko DB → writes to R2 queue → worker picks up) is a natural Phase 2 task. Create child MC when this phase ships.

3. DR — Paperless VM outage >24h: Worker retries indefinitely (R2 objects accumulate). At 24h queue backlog (estimated ~2,880 cron invocations), archive_queue_depth > 500 alert fires to ops. Worker will self-heal on Paperless recovery without intervention. If VM is permanently lost: restore Paperless from Azure VM backup (existing backup schedule assumed — verify with FlowForge). R2 queue is the authoritative backlog; no documents are lost.

4. GDPR Art. 17 erasure flow: When a Bilko org deletes their account, all archived documents must be deleted from Paperless (DELETE /api/documents/{id}) and the correspondent deleted (DELETE /api/correspondents/{id}). This is a separate erasure worker, out of scope for this implementation phase. File child MC at same time as backfill MC (Phase 2).

5. Bilko internal API endpoint auth (/internal/v1/): The worker-to-api callback for updating archive_audit_log requires an internal auth mechanism. Shared secret (INTERNAL_API_KEY) is recommended for MVP. mTLS (Cloud Run service-to-service auth via OIDC token) is more secure and already supported by GCP — recommend upgrading to mTLS in Phase 2. Child MC for FlowForge.

---

References

Architecture

COMPLIANCE-022 — Archive Review (HIPAA/GDPR/CQC)

MC #100025 | Published 2026-05-08 | Status: Approved (Pattern 3 — Skybound) / Compliance gate pending (Dr. Sarah Chen M3+M5 blockers)
Related: ADR-022SPEC-022
⚠️ PRE-EMPTIVE BLOCKERS — Pattern 3 cannot ship to production with EU personal data until: See section 9 for full MUST list.

COMPLIANCE-022: Healthcare & Privacy Compliance Review

Bilko Document Archive — Pattern 3 (Blob Queue) ADR-022 / SPEC-022

Reviewer: Dr. Sarah Chen, Healthcare IT Systems Architect Date: 2026-05-08 MC: #100025 Subtask 3 of 5 Status: Final — sign-off conditions in §10

---

1. Scope — Applicable Regulations

Jurisdiction and context

Bilko is a Balkan accounting SaaS (Serbia, BiH, Croatia), EU residency claimed (GCP europe-north1), operated by ALAI Holding AS (Norway). The doc types named in ADR-022 §Context include care plans and incident reports. Those two types trigger healthcare regulatory scope even in an accounting product.

Regulations evaluated

RegulationTriggerApplies?
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GDPR / EU GDPR (Regulation 2016/679)EU residency, Balkan clients in EU data space, special category Art. 9 data possible in care plansYES — primary
HITECH Act (US)Only if Bilko serves US-based covered entities or their BAs. No US presence confirmed in BUILD-BLUEPRINT.NOT YET — but architecture must not preclude compliance if US expansion occurs
HIPAA Privacy + Security RulesSame trigger as HITECH.NOT YET — apply when US expansion scoped
CQC / Health and Social Care Act 2008Only if Bilko serves UK-registered domiciliary care agencies. Not confirmed.NOT YET — same comment
NIS2 Directive (EU 2022/2555)ALAI Holding AS as digital infrastructure provider processing health data above medium-enterprise threshold. Likely not in scope at current scale but architecture must support NIS2-compliant incident response by design.MONITOR — review at 50+ orgs
Norway Bokføringsloven §13Invoices, financial records, 7-year retentionYES — invoices
Serbia Zakon o računovodstvu / Croatia equivalentsSame financial retentionYES — domain packages
GDPR Art. 17 (Right to Erasure)Active for all EU data subjectsYES — open gap in SPEC-022 §10.4
GDPR Art. 28 (Sub-processor chain)ALAI Azure VM Paperless is a sub-processor of BilkoYES — gap in both documents

For care plans and incident reports: GDPR Art. 6(1)(b) (contract performance) as primary basis; Art. 9(2)(h) (health/social care purposes) as special-category basis. This must be reflected in Bilko's Privacy Notice and any DPA issued to tenants.

---

2. Data Classification

Document TypeGDPR ClassificationSpecial Category (Art. 9)?Financial Record?Recommended Paperless Tag
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
InvoicePersonal data (contact name, address, VAT ID)NoYes (Bokføringsloven, 7y)data-class:financial
ContractPersonal data (signatories, company data)NoQuasi-financial (5y post-expiry)data-class:legal
Care planSpecial category health dataYES — diagnosis, medication, functional statusNodata-class:health sensitivity:high
Incident reportSpecial category health/social dataYES — if describes injury, clinical eventPotentiallydata-class:health sensitivity:high
Onboarding documentPersonal data (identity verification, scanned ID)No (unless medical screen)Nodata-class:identity

Tag strategy amendment

SPEC-022 §5.2 defines four tag types: org:, doc-type:*, bilko-source, bilko-source-uuid:.

Missing: data classification tags. The PAPERLESS_TAG_IDS_MAP env var must include entries for data-class:health, data-class:financial, data-class:legal, data-class:identity, and sensitivity:high. These are required for:

---

3. Audit Trail Requirements

3.1 What SPEC-022 §9.3 provides

archive_audit_log records: who queued the archive (implicit — ArchiveService called in user request context), R2 object key, sha256, status transitions, timestamps, Paperless doc ID, retry count, errors.

This covers the archival pipeline itself adequately.

3.2 Critical gap — per-access logging for archived documents

SPEC-022 contains no provision for logging human access to archived documents in Paperless.

When a CEO-level user or ALAI admin opens a care plan or incident report in the Paperless UI at archive.alai.no, there is no audit record in any Bilko system.

GDPR Art. 5(1)(f) (integrity and confidentiality) and, when US healthcare clients are added, HIPAA §164.312(b) (audit controls) require that every access to records containing personal or health data is logged with:

Paperless-ngx does not natively emit per-document access logs to an external SIEM. It maintains an internal Django audit trail (auditlog tables), but that trail lives on the Azure VM and is not exported to GCP Cloud Logging where Bilko's other audit records live.

Gap: no tamper-evident export of Paperless access logs.

3.3 Retention of access logs

GDPR Article 5 + Recital 39 require demonstrability — logs must be retained long enough to respond to a subject access request or supervisory authority inquiry. Minimum: same retention as the documents they describe. For care plans (25 years per SPEC-022 §6.2), access logs must survive 25 years. For invoices, 7 years.

SPEC-022 §6.2 is silent on access log retention.

3.4 Tamper evidence

The archive_audit_log table in Bilko DB is defined in SPEC-022 §9.3. It has no tamper-evidence mechanism (no hash chaining, no write-once constraint beyond application code). PostgreSQL row-level updates are possible for any user with DB access.

Minimum required: ensure archive_audit_log has no application-level UPDATE path for created_at and core fields (sha256, organization_id, bilko_document_id). A DB-level check constraint or trigger preventing modification of those columns after insert provides tamper-resistance without requiring a separate append-only log infrastructure.

---

4. Access Control Deltas

4.1 Worker process — least privilege (SPEC-022 §4)

SPEC-022 §4.2 recommends a separate R2 API token for the worker scoped to the two archive buckets. SPEC-022 §4.3 recommends a separate Paperless API token. Both are correct. No gap here from an access control standpoint.

4.2 Human admin access to Paperless — unaddressed

Neither ADR-022 nor SPEC-022 defines who may log into archive.alai.no as a human user and what they can access. Currently, the only documented credential is alembasic (Bitwarden item referenced in ADR-022 §Context). That is a single superuser account.

For multi-tenant data containing health records:

Required additions:

with access scoped to bilko-source tagged documents only, no sensitivity:high filter bypass. doc types are live. A named admin account with restricted permissions per document type is required. UI relies entirely on the discipline of human users to filter by org: tag. This is not adequate for healthcare data.

4.3 Cross-tenant containment — tag-based vs. physical separation

SPEC-022 §5.3 states: "Cross-tenant queries are impossible if the caller only has access to their own org_tag_id. Isolation is enforced by the Bilko application layer controlling which org_tag_id each user can query."

This is correct for machine-to-machine access (worker reads, API queries). It is **not sufficient for human access** to the Paperless UI, where all documents from all tenants are visible to any logged-in user. Until Paperless supports per-tag or per-user-group ACLs (which it does not as of v2.x), physical separation — one Paperless instance per tenant — is the only way to enforce tenant isolation for human UI access.

**Recommendation (SHOULD — not an immediate ship blocker provided care plans are not in scope for MVP):** Before enabling care plan or incident report archival through this pipeline, deploy per-tenant Paperless instances or ensure the Paperless UI is not accessible to any human user other than a designated compliance officer who has executed an appropriate access agreement and whose access is logged separately.

4.4 Break-glass access procedure

Neither document defines a break-glass procedure: how does ALAI access a specific tenant's archived documents if the Bilko DB org_paperless_cache is corrupted or unavailable?

Required: Document and test a break-glass procedure: (a) query Paperless directly by org: tag using the bilko-ops service account, (b) log the access reason and approver, (c) notify the affected tenant within 72 hours if the access was to health data.

---

5. Sub-Processor Analysis

5.1 The data flow chain

Bilko tenant (data subject's data)
  → Bilko Cloud Run API (controller / data processor acting on behalf of tenant)
    → Cloudflare R2 (sub-processor #1 — staging queue)
      → archiver-worker Cloud Run (internal processor — ALAI infrastructure)
        → ALAI Azure VM / Paperless-ngx (sub-processor #2 — long-term storage)

5.2 Gap: no GDPR Art. 28 chain documented

GDPR Art. 28(4) requires that where a processor engages a sub-processor, the same data protection obligations as set out in the controller-processor contract are imposed on the sub-processor.

ADR-022 notes "Paperless-ngx at archive.alai.no = ALAI Azure VM (separate org from Bilko tenants). Cross-org data flow = sub-processor relationship; needs DPA articulation" — and then defers to this review. SPEC-022 does not address it at all.

Minimum required DPA chain articulation:

1. Bilko's Terms of Service / DPA with each tenant must list: - Cloudflare (R2) as a sub-processor - ALAI Holding AS hosting (Azure VM, Paperless) as a sub-processor

2. The existing ALAI AI Services Legal Pack (BookStack shelf https://docs.alai.no/shelves/ai-services-legal-pack, TOMs published) provides a DPA template. That template must be extended with a Schedule listing sub-processors and their processing purposes. For the archive pipeline: Purpose = "Long-term document retention for audit and compliance purposes"; Location = EU (Azure westeurope); Retention per §6.2 of SPEC-022.

3. ALAI must have a DPA with Microsoft Azure (for the VM hosting Paperless). Standard Microsoft Online Services DPA covers this if the Azure subscription is enrolled — verify this is in place.

4. Bilko tenants uploading care plans or incident reports must be explicitly informed (Privacy Notice update) that health data is stored in Paperless on an ALAI-operated EU server.

5.3 Cloudflare R2 sub-processor status

Cloudflare R2 is covered by Cloudflare's standard Data Processing Addendum. ALAI should confirm it is signed as part of the Cloudflare account setup. The R2 bucket must be configured to a confirmed EU jurisdiction (Cloudflare R2 location hint WEUR or EEUR).

---

6. Encryption Requirements

6.1 At rest — R2 (staging queue)

Cloudflare R2 provides AES-256 encryption at rest by default for all objects. No customer-managed key option was selected per SPEC-022 §4. For current Bilko document types (invoices, contracts), platform-managed encryption is adequate. For care plans and incident reports (special category health data), consider whether tenant-controlled encryption keys are a contractual requirement with any healthcare clients before that doc type goes live.

6.2 At rest — Paperless on Azure VM

SPEC-022 does not confirm disk encryption on the Azure VM hosting Paperless. Azure VM OS disks are not encrypted by default — Azure Disk Encryption (ADE using BitLocker/DM-Crypt) or server-side encryption with customer-managed keys must be explicitly enabled. This must be verified by FlowForge before any healthcare document type is archived.

Required (MUST): Confirm Azure VM hosting Paperless has disk encryption enabled. Run az vm encryption show --name --resource-group and include output in the ship checklist evidence.

6.3 In transit — GCP Cloud Run to R2

Cloudflare R2 S3-compatible API enforces TLS 1.2+ on all endpoints. Confirmed adequate.

6.4 In transit — archiver-worker to Paperless (archive.alai.no)

ADR-022 §Context: Paperless is "behind Cloudflare Access (service token required)". Cloudflare Access enforces HTTPS on all traffic to the origin. The origin-to-Cloudflare tunnel should use Cloudflare Tunnel (cloudflared) or an authenticated origin pull — confirm this is configured so the Azure VM does not expose port 443 directly to the internet.

If the Azure VM is exposed directly (no cloudflared), a misconfigured security group could allow direct HTTP access bypassing CF Access entirely. FlowForge must confirm the network path.

6.5 Field-level encryption

Field-level encryption of PDF content is not feasible within this architecture and is not required at this stage. The PDF is the record. Encryption at transport and at rest is the appropriate control. If any structured extracted fields from care plans are ever stored in Bilko DB as queryable columns, those columns must be treated as special category data and assessed for column-level encryption.

---

7. Erasure / Right to Be Forgotten (GDPR Art. 17)

7.1 Current state

SPEC-022 §10.4 acknowledges erasure as an open question: "a separate erasure worker, out of scope for this implementation phase."

ADR-022 §Phase 4 (Q3) provides a three-step Paperless erasure process (query by org: tag, delete documents, delete correspondent). This is architecturally sound.

7.2 Interim recommendation (required before care plans go live, SHOULD before MVP)

GDPR Art. 17(1) requires that erasure be executed "without undue delay." For a SaaS with a documented erasure process, "without undue delay" means the capability must exist and be operable when a valid erasure request arrives — it does not require automatic self-service.

For MVP (invoices, contracts, onboarding — not health data): an operationally-documented manual erasure procedure is acceptable interim. The procedure must be documented in the RUNBOOK.md and tested before any EU data subject data reaches production.

Manual erasure procedure (document in RUNBOOK.md before MVP ship):

1. Receive verified erasure request (tenant admin or data subject via support ticket). 2. Confirm no legal hold applies (Bokføringsloven 7-year financial record exception — invoices cannot be erased within retention period under legitimate interest override). 3. Delete Bilko DB records for the org (existing DB delete cascade paths — confirm with CodeCraft). 4. Query R2 for any pending queue objects: aws s3 ls s3://bilko-archive-queue/org// and delete all. 5. Query Paperless: GET /api/documents/?tags__id__in=, delete all results. 6. Delete Paperless correspondent: DELETE /api/correspondents/. 7. Delete org_paperless_cache row for the org. 8. Log erasure completion with timestamp and executor identity.

Before care plans or incident reports are archived: an automated erasure worker is required (child MC, FlowForge). Manual erasure for health records under Art. 17 is too slow and too error-prone.

7.3 Financial record exception

Invoices subject to Bokføringsloven §13 (Norway) or equivalent (Serbia, Croatia, BiH) cannot be erased within the mandatory retention period even on Art. 17 request. The Privacy Notice must inform data subjects of this limitation. The erasure procedure must check document type and skip financial records with a logged exception.

---

8. Incident Response / Breach Notification

8.1 Breach scenarios

ScenarioSeverityGDPR notificationResponsible party
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Bilko Cloud Run API compromise (R2 staging queue exposed)HIGH if health data in queue72h to supervisory authority (Datatilsynet, Norway; or relevant Balkan DPA)ALAI (as Bilko operator)
Azure VM compromise (Paperless data exposed)HIGH72h — triggers sub-processor notification chain: ALAI Azure → ALAI Bilko team → tenant notificationALAI (as sub-processor); tenant notifies their data subjects
Worker credential leak (CF Access + Paperless API token)MEDIUM-HIGH (allows read of all archived docs across all tenants)72h if PHI/health data accessibleALAI
Cross-tenant Paperless UI access (human error)MEDIUM72h if health data accessedALAI

8.2 Notification chain (required in RUNBOOK.md)

Neither ADR-022 nor SPEC-022 defines a breach notification chain. The following must be documented:

1. Detection: Cloud Monitoring alert (unauthorised 401/403 spike, DLQ depth spike, anomalous ListObjectsV2 calls from unexpected IP) fires to dev@alai.no. 2. Triage: Within 1 hour — ALAI ops determines whether PHI/PII was exposed. 3. Internal declaration: ALAI Compliance (Alem Basic as DPO for current scale) declares breach. 4. Supervisory authority notification: Within 72 hours of awareness — notify Datatilsynet (Norway) via https://www.datatilsynet.no/en/about-privacy/notification-of-a-data-breach/. If Serbian or Croatian data subjects affected: notify relevant authority (POVP, Serbia; AZOP, Croatia) simultaneously. 5. Tenant notification: Within 72 hours — notify affected tenant(s) via documented contact (tenant owner email on record in Bilko DB). 6. Data subject notification: If "likely to result in a high risk to rights and freedoms" (Art. 34), notify data subjects directly. Care plan or incident report exposure = high risk threshold met automatically.

---

MUST — compliance blockers (must fix before production ship)

IDDocumentSectionRequired change
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
M1SPEC-022§5.2Add data-class:health, data-class:financial, data-class:legal, data-class:identity, and sensitivity:high to PAPERLESS_TAG_IDS_MAP. Worker must apply data-class and (for care plans / incident reports) sensitivity:high tag on every archive call.
M2SPEC-022§9.3Add DB-level protection on archive_audit_log: a Postgres trigger or check constraint must prevent UPDATE of organization_id, sha256, bilko_document_id, and created_at after row insert. Append-only semantics enforced at DB layer, not only application layer.
M3ADR-022 + SPEC-022§4 / §ContextDocument and verify Azure VM disk encryption is enabled before care plans or incident reports are archived. Add to ship checklist: az vm encryption show output as evidence.
M4SPEC-022§10.4Document manual erasure procedure in RUNBOOK.md (see §7.2 of this review) before MVP ship. Must include: financial record exception logic, Paperless deletion steps, audit log of erasure.
M5ADR-022§ConsequencesUpdate Bilko Terms of Service / Privacy Notice and sub-processor DPA to list Cloudflare R2 and ALAI Azure VM (Paperless) as sub-processors per GDPR Art. 28(4). This must exist before any EU personal data flows through the archive pipeline. Must reference ALAI AI Services Legal Pack DPA template on BookStack.
M6SPEC-022§4 / §9Paperless access log export: configure Paperless Django audit log export (or Cloudflare Access request logging for archive.alai.no) to ship access events to Cloud Logging. Access log entries must contain: user/service account identity, document ID, document type, timestamp, source IP. Retain per document class retention period.

SHOULD — best practice (not immediate ship blockers)

IDDocumentSectionRecommended change
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
S1SPEC-022§5.3Before enabling care plan or incident report doc types, assess whether tag-based isolation in the shared Paperless instance is sufficient or whether a dedicated per-healthcare-tenant Paperless instance is required. Tag isolation is adequate for machine queries but not for human Paperless UI access.
S2SPEC-022§4.3Replace INTERNAL_API_KEY shared secret for worker-to-api callback with GCP Cloud Run service-to-service OIDC auth (already in SPEC-022 §10.5 as Phase 2 item). Shared secret is a credential management risk. This is already flagged; confirm it is a Phase 2 child MC, not indefinitely deferred.
S3ADR-022§Phase 4Create child MC for automated erasure worker before enabling care plan archival. Manual erasure is not appropriate for health data under GDPR Art. 17.
S4SPEC-022§6.2Add care plan retention to 25 years in Paperless Workflow rule (SPEC-022 already notes this as out of scope). File the child MC before health doc types go live. 25-year retention is a CQC/NHS standard; for Balkan jurisdiction equivalents, confirm with local counsel (no equivalent statutory period confirmed for Serbia/BiH/Croatia).
S5SPEC-022§10Add Breach Notification Runbook to RUNBOOK.md (§8.2 of this review) as child MC. Required before any production data flows through the pipeline.
S6ADR-022§ContextVerify Cloudflare R2 bucket bilko-archive-queue location hint is set to WEUR or EEUR to maintain EU data residency. Not confirmed in either document.

---

10. Sign-Off Conditions

The following must be true before Pattern 3 ships to production. Each item maps to a MUST above.

1. [M5] Sub-processor DPA chain published. Bilko ToS / Privacy Notice lists Cloudflare R2 and ALAI Azure VM as sub-processors. Bilko tenant DPA template updated. Evidence: BookStack page with published DPA addendum (reference ALAI AI Services Legal Pack shelf).

2. [M1] Data classification tags deployed in Paperless. data-class:* and sensitivity:high tags exist in Paperless, IDs populated in PAPERLESS_TAG_IDS_MAP, worker applies them. Evidence: Proveo test showing a care plan doc archived with data-class:health + sensitivity:high tags visible in Paperless.

3. [M3] Azure VM disk encryption verified. FlowForge provides az vm encryption show output confirming encryption enabled on the VM hosting Paperless. Evidence: output attached to ship checklist.

4. [M2] Archive audit log tamper-protection deployed. Flyway migration adds DB-level constraint on archive_audit_log. Evidence: Proveo attempts direct SQL UPDATE on created_at and sha256 columns and confirms rejection.

5. [M6] Paperless access log export live. Cloudflare Access request logs for archive.alai.no (or Paperless Django auditlog export) flowing to Cloud Logging. Evidence: Cloud Logging query showing access log entries from a test document retrieval.

6. [M4] RUNBOOK.md updated with manual erasure procedure. Procedure includes financial record exception, Paperless deletion steps, confirmation of org_paperless_cache cleanup. Evidence: Proveo executes erasure procedure end-to-end in staging and documents result.

Pre-emption clause: Items M3 (Azure disk encryption) and M5 (DPA chain) are pre-emptive — they must be resolved before any personal data of any kind is archived in Paperless production. They are not "ship before care plans go live" items; they are "ship before any data flows" items. If either is unresolved at production launch, the pipeline must be restricted to internal test data only via a feature flag.

---

_Reviewed against: ADR-022 (all sections), SPEC-022 (all sections §1–§10), BUILD-BLUEPRINT.md (multi-tenancy model, GCP deployment, R2 config). GDPR 2016/679 Arts. 5, 6, 9, 17, 28, 34; HIPAA §164.312 (noted for future US expansion); CQC Key Lines of Enquiry Safe domain (noted for future UK healthcare expansion); NIS2 Directive 2022/2555 (monitor threshold)._

Architecture

HR eRačun — Architecture Decision Record (ADR) + Build Plan

STATUS: design accepted; build in progress (WP1+). Production activation PARKED pending legal (B1/B2) + the multi-tenant decision.

NOTE: app-api.bilko.cloud maps to bilko-api-demo — the demo backend serves the bilko.cloud domain; activation is a real-domain decision, not a code toggle.

Status: ACCEPTED
Date: 2026-06-11
Lead Architect: Petter Graff (synthesized from team inputs)
Input Authors: Martin Kleppmann, Bruce Momjian, Markos Zachariadis, Parisa Tabriz
MC: #103453 (architecture documentation) | #103464 (build execution)
Cross-link: Bilko HR eRačun — sveRačun (PostLink) Integration & Status Model
CEO directive: "tim arhitekata, Petter Graff lead, plan → dokumentuju → build, BEZ HAKOVA."

1. Context and Problem

1.1 What Exists

Bilko has a Croatia HR eRačun adapter (SveRacunHrEInvoiceAdapter) with three implemented methods — serialize(), submit(), pollStatus() — and 42 unit tests. A Proveo-verified live TEST submission to the sveRačun (PostLink d.o.o.) TEST API returns HTTP 200 with a documentId. The status mapping (mapStatusPair) correctly implements the real sveRačun two-layer status model (corrected MC #103445).

1.2 The Three Structural Problems

Problem 1 — The wiring gap (critical).
No route, no service, and no persistence layer connects the product UI/API to the adapter. POST /invoices/{id}/submit-to-sef exists for Serbia (RS); HR has no equivalent. PluginHR.submitToFiscalPlatform is NOT_IMPLEMENTED by design (it uses FiscalReceipt, not CanonicalInvoice). An operator cannot submit an HR invoice through Bilko today. This is the primary gap this ADR closes.

Problem 2 — Live double-fiscalization bug (critical, exists in the code today).
SveRacunHttpClient installs HttpRequestRetry globally with retryOnServerErrors(maxRetries = 3). This plugin fires on all 5xx responses — including those returned after sveRačun has already accepted and queued the document (transient 500 on the response-write path). A retry would POST the same UBL XML with the same invoice number to sveRačun a second time. In the Croatian fiscal model, that is a second fiscalization of the same invoice number — a criminal tax offence (Kazneni zakon, čl. 256). This bug exists in the current codebase and must be fixed before any live call, including TEST calls.

Problem 3 — The single-issuer ceiling (architectural).
serialize() reads the XML sender OIB from httpClient.configuredSenderVat, which maps to the global env var SVERACUN_SENDER_VAT. sveRačun's etapa-1 rule requires that the initiator OIB (the API-key-holder) equal the XML sender OIB. With a single global env var, Bilko can only ever submit invoices as one legal entity. A multi-tenant SaaS requires each tenant to issue under their own OIB. The CEO decision parks multi-tenant for production, but the architecture must not hardcode assumptions that prevent it.

1.3 Compliance Blockers from Vlado Brkanić Memo (MC #103443)

2. Decisions

2.1 The IssuerProfile Abstraction (Zachariadis Model C)

Decision: Introduce IssuerProfile as the single abstraction for "who is the legal sender and what credentials does the system use." The adapter and service NEVER read global env vars for sender identity after this change. The demo is built on this abstraction with a single ALAI profile.

Rationale: The PostLink companyVatNumber header is already architecturally separate from the Authorization API key header. The IssuerProfile abstraction now means the production multi-tenant path is a credential-config change, not a code rewrite.

data class IssuerProfile(
    val profileId: UUID,
    val orgId: UUID,                     // FK to organizations.id
    val legalSenderOib: String,          // HR-prefixed, e.g. HR91276104352
    val legalSenderName: String,
    val submissionMode: SubmissionMode,  // DIRECT | INTERMEDIARY
    val apiKeySecretRef: String,         // GCP Secret Manager path — NEVER the raw key
    val sveRacunBaseUrl: String,         // TEST or PROD endpoint
    val intermediaryOib: String? = null,
    val posrednikRef: String? = null,
    val enabled: Boolean
)

enum class SubmissionMode { DIRECT, INTERMEDIARY }

For demo: one row, submissionMode = DIRECT, legalSenderOib = HR91276104352, apiKeySecretRef = "projects/.../secrets/bilko-sveracun-test-api-key/versions/latest".
For production: per-tenant rows, submissionMode = INTERMEDIARY, shared platform key, per-tenant legalSenderOib.

2.2 Adapter Refactor: IssuerProfile Injection Over Env Vars

Decision: SveRacunHrEInvoiceAdapter.serialize() receives senderOib: String explicitly. SveRacunHttpClient is instantiated with per-profile apiKeyOverride and senderVatOverride. The global-env-var constructor path is preserved for tests only; the production code path always resolves via IssuerProfile.

2.3 Retry Policy: Split Send-Path from Poll-Path

Decision: SveRacunHttpClient will use TWO separate HttpClient instances: one for the send path with maxRetries = 0, one for the poll path with maxRetries = 3 and exponential backoff.

Rationale: This is the Kleppmann non-negotiable. The current single HttpClient with global retry is a live bug. Splitting into two instances is the cleanest fix without touching retry configuration in a way that could be accidentally reverted.

// Send path — zero retries; double-submit is a tax offence
private val sendClient = HttpClient(sendEngine) {
    install(HttpTimeout) { requestTimeoutMillis = TIMEOUT_MS; connectTimeoutMillis = 10_000L }
    // NO HttpRequestRetry installed
}

// Poll path — safe to retry; reads are idempotent
private val pollClient = HttpClient(pollEngine) {
    install(HttpTimeout) { requestTimeoutMillis = TIMEOUT_MS; connectTimeoutMillis = 10_000L }
    install(HttpRequestRetry) {
        maxRetries = MAX_RETRIES
        retryOnServerErrors(maxRetries = MAX_RETRIES)
        exponentialDelay(base = 2.0, maxDelayMs = 8_000L)
    }
}

2.4 State Machine (Canonical Definition)

The canonical state machine for an HR eRačun submission in Bilko. All service code and all DB column values reference these states and only these states.

Stateinternal_statussveracun_document_idMeaning
NOT_SUBMITTEDNULL (no row)NULLInvoice exists; no submission row
NUMBER_RESERVEDNUMBER_RESERVEDNULLFiscal number locked; XML serialized; GCS written; HTTP not yet called
SUBMITTEDSUBMITTED<docId>HTTP 200 + documentId received and persisted
SUBMIT_UNCERTAINSUBMIT_UNCERTAINNULLSent (maybe); no documentId received (timeout / conn err / no docId in 200 body)
PENDINGPENDING<docId>sveRačun still processing (UNKNOWN or null external)
ACCEPTEDACCEPTED<docId>Terminal success: internal=OK + external=FISCALIZATION:OK
REJECTEDREJECTED<docId> or NULLTerminal failure: FAILED/UNDELIVERABLE/FISCALIZATION:ERROR/4xx etapa-1
 
NOT_SUBMITTED    -> NUMBER_RESERVED
NUMBER_RESERVED  -> SUBMITTED | SUBMIT_UNCERTAIN | REJECTED
SUBMITTED        -> PENDING | ACCEPTED | REJECTED
PENDING          -> ACCEPTED | REJECTED | PENDING (keep polling)
SUBMIT_UNCERTAIN -> SUBMITTED (reconcile found docId) | REJECTED (confirmed not found)
ACCEPTED         -> (terminal, immutable)
REJECTED         -> (terminal; operator action + new fiscal number required for re-send)

Forbidden transitions:

Note on naming alignment: Momjian uses APPROVED where Kleppmann uses ACCEPTED. The ADR adopts ACCEPTED to align with EU e-invoicing terminology and the DB CHECK constraint in V77. The adapter's EInvoiceStatus.APPROVED is the adapter-interface value; the service layer translates it to the ACCEPTED DB state.

2.5 Persist-Before / Persist-After Protocol (Kleppmann Non-Negotiable #3)

Every submit call follows this exact ordering:

BEFORE the HTTP call — one DB transaction:

  1. SELECT ... FOR UPDATE on the invoice row (concurrent-submit guard)
  2. Check internal_status NOT IN (NUMBER_RESERVED, SUBMITTED, SUBMIT_UNCERTAIN, PENDING) — reject 409 CONFLICT if already in flight
  3. UPSERT hr_einvoice_number_counters and SELECT ... FOR UPDATE to allocate next fiscal number (gapless, Momjian §1)
  4. Compute idempotencyKey = SHA-256(orgId + "|" + invoiceId + "|" + fiscalInvoiceNumber)
  5. Call adapter.serialize(invoice, senderOib = issuerProfile.legalSenderOib) to build UBL XML bytes
  6. Compute sha256Hex = SHA-256(xmlBytes) (hex string)
  7. Write XML bytes to GCS at {orgId}/{fiscalYear}/{fiscalInvoiceNumber}/{submissionId}.xml (write-once; must succeed before row insert)
  8. INSERT hr_einvoice_submissions row with internal_status = NUMBER_RESERVED
  9. COMMIT

HTTP call (outside any transaction):

AFTER the HTTP call — separate DB transaction:

2.6 OIB Binding Invariant (Tabriz Non-Negotiable)

The service layer (HrEInvoiceService.submitInvoice()) MUST enforce this invariant before any HTTP call:

require(invoice.organizationId == principal.organizationId) { "Invoice org mismatch" }
require(issuerProfile.orgId == principal.organizationId) { "Credential org mismatch" }
require(issuerProfile.legalSenderOib == xmlSenderOib) { "OIB binding violated" }

If any assertion fails: HTTP 422, write LoggedAction with event = "hr_einvoice_oib_binding_violation", do NOT proceed. A broken OIB binding causes Bilko to file a fiscalized tax document under the wrong entity's identity with Porezna uprava — that is tax fraud.

2.7 UNIQUE(invoice_id) on hr_einvoice_submissions (Momjian Non-Negotiable)

The UNIQUE (invoice_id) constraint in migration V77 is the architectural load-bearing constraint for this feature. It must be present in the migration before any submission code is merged. Any code path that attempts to create a second active submission row for the same invoice receives a unique constraint violation — the DB-level guard for double-fiscalization even if service-layer checks have a bug.

3. Target Architecture

3.1 Layered View

[HTTP Route]
  POST /invoices/{id}/submit-to-sveracun
  GET  /invoices/{id}/sveracun-status
  GET  /invoices/{id}/sveracun-xml        (admin debug)
  POST /invoices/{id}/poll-sveracun-status (manual poll trigger)
       |
       | JWT principal -> requirePermission("sveracun:submit")
       | organizationId from JWT (never from request body)
       v
[HrEInvoiceService]
  - IssuerProfileRepository.findByOrgId(orgId) -> IssuerProfile
  - OIB binding invariant assertion (hard, not soft)
  - Persist-before-tx (number allocation, XML serialize, GCS write, DB insert)
  - SveRacunHttpClient(apiKeyOverride, senderVatOverride) — per-profile instantiation
  - SveRacunHrEInvoiceAdapter.submit(xmlBytes, invoice, senderOib) — NO retry
  - Persist-after-tx
  - HrEInvoiceNumberService.reserveNextNumber(orgId, issuerOib, fiscalYear)
  - LoggedAction audit write per submit
       |
       v
[SveRacunHrEInvoiceAdapter]  (already implemented; adapter-level changes only)
  - serialize(invoice, senderOib: String)  — senderOib injected, not from env
  - submit(xmlBytes, invoice) -> SubmitResult
  - pollStatus(documentId, invoice) -> EInvoiceStatus
  - mapStatusPair() (unchanged — correct per MC #103445)

[SveRacunHttpClient]  (two client instances after fix)
  - sendClient (NO retry) -> sendDocument()
  - pollClient (retry OK) -> getInternalStatus(), getExternalStatus()

[Postgres — four new tables via Flyway V75-V78]
  hr_einvoice_issuer_config        (IssuerProfile persistence; one row for demo)
  hr_einvoice_number_counters      (gapless fiscal year sequence via FOR UPDATE)
  hr_einvoice_submissions          (submission lifecycle; UNIQUE(invoice_id))
  hr_einvoice_archive              (integrity manifest; INSERT-only; points to GCS)

[GCS — bilko-hr-einvoice-archive-{env}]
  - Write-once per submission at NUMBER_RESERVED (before HTTP call)
  - Integrity verified on retrieve (SHA-256 re-hash comparison)
  - Retention policy: 4015 days LOCKED (11 years WORM) for prod bucket
  - Demo bucket: same write-once pattern; 90-day retention (not locked)

3.2 IssuerProfileRepository Interface

interface IssuerProfileRepository {
    fun findByOrgId(orgId: UUID): IssuerProfile?
}

// Demo implementation: reads from DB table hr_einvoice_issuer_config (V75 migration)
class DbIssuerProfileRepository(
    private val secretManager: GcpSecretManagerClient
) : IssuerProfileRepository {
    override fun findByOrgId(orgId: UUID): IssuerProfile? {
        // SELECT from hr_einvoice_issuer_config WHERE org_id = ? AND enabled = true
        // Resolve apiKey from GCP Secret Manager by api_key_secret_ref
    }
}

For demo: one row in hr_einvoice_issuer_config with enabled = false by default. A manual UPDATE ... SET enabled = true plus SVERACUN_HR_LIVE = true env flip is required to activate live submit. Two explicit gates, both required, neither accidental.

3.3 Route Pattern (Mirrors SefRoutes.kt)

fun Route.sveRacunRoutes() {
    val service by di<HrEInvoiceService>()

    post("/invoices/{id}/submit-to-sveracun") {
        val principal = call.principal<BilkoPrincipal>()!!
        if (requirePermission(principal, "sveracun:submit")) return@post
        val invoiceId = call.parameters["id"] ?: ...
        val organizationId = principal.organizationId   // from JWT, never from request
        try {
            val result = dbQuery { service.submitInvoice(invoiceId, organizationId, principal) }
            call.respond(HttpStatusCode.OK, mapOf(...))
        } catch (e: OibBindingException) { call.respond(422, ...) }
          catch (e: NotFoundException) { call.respond(404, ...) }
          catch (e: ConflictException) { call.respond(409, ...) }
    }

    get("/invoices/{id}/sveracun-status") { /* requirePermission("sveracun:status") */ }
    get("/invoices/{id}/sveracun-xml") { /* admin only; verify SHA-256 before serving */ }
    post("/invoices/{id}/poll-sveracun-status") { /* manual trigger for demo */ }
}

3.4 Persistence Schema — Flyway V75–V78

V75 — hr_einvoice_issuer_config

Per-tenant IssuerProfile persistence. One row for demo (ALAI, DIRECT mode). RLS on org_id. The api_key_secret_ref column stores the GCP Secret Manager resource name — the raw API key is never stored in the DB.

Key columns: org_id UUID NOT NULL, issuer_oib VARCHAR(13) NOT NULL, api_key_secret_ref VARCHAR(1024) NOT NULL, api_base_url VARCHAR(500) NOT NULL DEFAULT 'https://test.sveracun.hr/api', submission_mode VARCHAR(20) NOT NULL DEFAULT 'DIRECT', enabled BOOLEAN NOT NULL DEFAULT FALSE.
Constraint: UNIQUE (org_id, issuer_oib).

V76 — hr_einvoice_number_counters

Gapless fiscal year invoice number counter. One row per (org_id, issuer_oib, fiscal_year). Allocated via SELECT ... FOR UPDATE inside the BEFORE transaction. Never decrements. Numbers are non-returnable even on submission failure.

Key columns: org_id UUID NOT NULL, issuer_oib VARCHAR(13) NOT NULL, fiscal_year SMALLINT NOT NULL, last_number INTEGER NOT NULL DEFAULT 0.
Constraint: UNIQUE (org_id, issuer_oib, fiscal_year). Year rollover: automatic on UPSERT.

V77 — hr_einvoice_submissions

The submission lifecycle table. One row per invoice (UNIQUE invoice_id). Created at number-reservation time. Updated through polling until terminal.

Key columns: org_id UUID NOT NULL, invoice_id UUID NOT NULL (FK invoices.id ON DELETE RESTRICT), fiscal_invoice_number VARCHAR(20) NOT NULL (format YYYY-NNNNNN), idempotency_key VARCHAR(64) NOT NULL, sveracun_document_id VARCHAR(255) NULL, internal_status VARCHAR(30) NOT NULL DEFAULT 'NUMBER_RESERVED', xml_sha256_hex CHAR(64) NOT NULL, submitted_xml_gcs_path VARCHAR(1024) NOT NULL, submitted_by UUID NOT NULL.

Critical constraints:

V78 — hr_einvoice_archive

Integrity manifest for 11-year UBL XML archival. Append-only. bilko_app role has INSERT-only grant (no UPDATE). All FKs are ON DELETE RESTRICT.

Key columns: submission_id UUID NOT NULL (FK, UNIQUE — one archive row per submission), gcs_bucket VARCHAR(255), gcs_object_path VARCHAR(1024), sha256_hex CHAR(64) NOT NULL, retain_until DATE GENERATED ALWAYS AS ((archived_at AT TIME ZONE 'UTC')::DATE + INTERVAL '11 years') STORED.

Archive is written AFTER ACCEPTED state is confirmed (internal=OK + external=FISCALIZATION:OK). The submitted XML written to GCS at NUMBER_RESERVED is the same bytes; the archive row formalizes it as the compliance record.

RLS on all four tables: Standard Bilko pattern from V46/V55. USING (org_id = NULLIF(current_setting('app.current_org_id', true), '')::UUID). FORCE ROW LEVEL SECURITY on all tables. Phase 2C RESTRICTIVE mode activation is a prod prerequisite.

3.5 GCS Archival

Bucket: bilko-hr-einvoice-archive-{env} (e.g. bilko-hr-einvoice-archive-demo).
Object path: {org_id}/{fiscal_year}/{fiscal_invoice_number}/{submission_id}.xml.
Write timing: at NUMBER_RESERVED, before HTTP call. Same bytes sent to sveRačun.
Write-once enforcement: Cloud Run SA has storage.objects.create only; storage.objects.delete denied.
Prod bucket: retention policy 4015 days LOCKED (WORM).
Demo bucket: same write-once pattern; retention 90 days (not locked).

Integrity verification on every retrieval via /invoices/{id}/sveracun-xml: fetch sha256_hex, download GCS bytes, recompute SHA-256, assert equals. If mismatch: HTTP 500 ARCHIVE_INTEGRITY_FAILURE, alert, do not serve bytes.

3.6 Audit Trail

Every submit, poll, and OIB-binding-violation event writes to LoggedAction (existing append-only table). Log structural/operational metadata only — do NOT log invoice line items, buyer/seller names, amounts, tax IDs, IBAN, API key value, or raw XML body (GDPR + Croatian tax secrecy).

4. Demo vs Production Boundary

"No hacks" means the demo is built on the real schema, real idempotency, real OIB binding invariant, and real state machine — with one issuer instead of many. The demo is not a prototype. It is the production system at scale=1.

CapabilityDemo (build now)Prod (parked / future)
IssuerProfile abstractionYES — one ALAI/DIRECT profile in DBSame table; N tenant rows; INTERMEDIARY mode
Schema V75-V78YES — full schema from day oneSame migrations; no change
OIB binding invariantYES — enforced at service layerSame code; more profiles
UNIQUE(invoice_id) on submissionsYES — in V77 before any submit codeSame constraint
Retry-fix on send pathYES — sendClient (no retry)Same fix
Persist-before/after protocolYES — full protocolSame protocol
SUBMIT_UNCERTAIN stateYES — must be representableSame state
GCS write at NUMBER_RESERVEDYES — write-once, SHA-256Same; LOCKED retention policy added
Gapless numbering (FOR UPDATE)YES — counter table V76Same; per-tenant issuer_oib separates sequences
HR einvoice archive row (V78)YES — written on ACCEPTEDSame; 11-year LOCKED policy for prod
sveRačun base URLTEST (test.sveracun.hr)PROD (hr.sveracun.hr)
SVERACUN_HR_LIVE gateExplicit flip required (default false)PROD env flag; separate secret
IssuerProfile.enabled gateExplicit DB update requiredSame; per-tenant enable flow
Background poll workerManual: POST /invoices/{id}/poll-sveracun-statusScheduled job (Cloud Run Job or scheduler)
GCS retention policy90 days (demo bucket; not locked)4015 days LOCKED (WORM)
RLS modePERMISSIVE (current ADR-017 state)RESTRICTIVE (Phase 2C; Securion gate)
PostLink posrednik contract (B2)Not required; DIRECT modeRequired before multi-tenant; legal track
ALAI Norwegian entity HR OIB (B1)Not required; using existing TEST credsLegal confirmation required
Credit note (InvoiceTypeCode 381)Not built; domain model records the typeMust be built for full B2B accounting
Rate limiting (durable)In-memory sliding window; 10/min, 100/day per orgRedis-backed (Cloud Memorystore)

Items NOT Deferred (frequently deferred in prototype builds; not here)

  1. Flyway migrations V75-V78 — schema before any submit code
  2. The UNIQUE (invoice_id) constraint — non-negotiable from the first migration
  3. The retry fix on sendDocument() — before any live call, including TEST
  4. The OIB binding invariant — runtime enforcement, not just a comment
  5. The GCS write at NUMBER_RESERVED — even for demo; write-once pattern identical to prod
  6. The SUBMIT_UNCERTAIN state — sveRačun TEST is not perfectly reliable
  7. LoggedAction audit write per submit

5. Phased Build Plan (7 Work Packages)

WP1 — Foundation: Schema + Retry Fix + OIB Binding + IssuerProfile

Owner: CodeCraft (backend) | Depends on: None

Must land atomically — all in the same PR, before any route code.

  1. Flyway migrations V75, V76, V77, V78 — all four tables with constraints, indexes, RLS, grants
  2. SveRacunHttpClient: split into sendClient (maxRetries=0) + pollClient (maxRetries=3). Existing 42 tests remain green; add test asserting no retry on sendDocument() for 5xx
  3. IssuerProfile data class + SubmissionMode enum
  4. IssuerProfileRepository interface + DbIssuerProfileRepository
  5. SveRacunHrEInvoiceAdapter.serialize(invoice, senderOib: String) — add senderOib param; remove httpClient.configuredSenderVat usage
  6. HrEInvoiceNumberService.reserveNextNumber(orgId, issuerOib, fiscalYear): String — UPSERT + SELECT FOR UPDATE + increment
  7. OibBindingException + ConflictException exception types

Acceptance criteria: All 42 existing adapter tests pass. Flyway migrate runs clean V74→V78. New test: sendDocument() with 5xx does NOT retry (exactly one call). New test: concurrent reserveNextNumber() produces distinct sequential numbers.

WP2 — Service + Persist Protocol: HrEInvoiceService

Owner: CodeCraft (backend) | Depends on: WP1

  1. HrEInvoiceService.submitInvoice() — full persist-before/after protocol, OIB binding invariant, status gate (409 if in flight), IssuerProfile lookup, GCS write, LoggedAction
  2. HrEInvoiceService.pollAndUpdateStatus() — only if SUBMITTED/PENDING/SUBMIT_UNCERTAIN; archive write on ACCEPTED
  3. HrEInvoiceService.getXmlForDownload() — SHA-256 verification on every retrieval; 500 ARCHIVE_INTEGRITY_FAILURE on mismatch

Acceptance criteria: BEFORE tx written before HTTP call. AFTER tx reflects correct state for each case. OIB binding test: mismatched org → 422 + LoggedAction. Concurrent submit → one succeeds, one gets 409. SHA-256 mismatch on download → 500.

WP3 — Route: SveRacunRoutes

Owner: CodeCraft (backend) | Depends on: WP2

  1. All four route handlers (thin layer over service, mirrors SefRoutes.kt)
  2. Rate limit middleware: 10 submit requests/org/minute, 100/org/day (in-memory ConcurrentHashMap sliding window)
  3. Mount in Application.kt alongside sefRoutes()

Acceptance criteria: Unauthenticated → 401. Insufficient role → 403. Wrong org → 404 (not 403; no existence leak). Already SUBMITTED → 409. SVERACUN_HR_LIVE=false → 501. Rate limit: 101st submit in same day → 429.

WP4 — Infra: GCS Bucket + Secret Wiring

Owner: FlowForge (infra) | Depends on: WP1

  1. Terraform: bilko-hr-einvoice-archive-demo GCS bucket — versioning, write-once IAM, 90-day lifecycle
  2. Verify bilko-sveracun-test-api-key exists and Cloud Run SA has secretmanager.versions.access
  3. Secret rotation runbook documented in BookStack
  4. Terraform: bilko-hr-einvoice-archive-prod bucket definition (commented out; LOCKED retention command documented but not executed)

Acceptance criteria: gcloud storage buckets describe bilko-hr-einvoice-archive-demo shows versioning=enabled and no delete in bilko-api SA binding. CI integration test: DbIssuerProfileRepository.findByOrgId(DEMO_ORG_ID) resolves non-null API key. Terraform plan = zero diff after apply.

WP5 — Dead Code Removal

Owner: CodeCraft (backend) | Depends on: WP3

  1. Delete StorecoveHrFiskEInvoiceAdapter.kt (652 lines, abandoned provider, confirmed CEO decision MC #8675)
  2. Remove DI wiring, test references, import statements

Acceptance criteria: ./gradlew build passes with zero Storecove warnings. grep -r "StorecoveHrFisk" apps/api/src returns zero results.

WP6 — Proveo E2E Validation

Owner: Proveo (Angie Jones) | Depends on: WP3, WP4

  1. Submit a real invoice through the route (SVERACUN_HR_LIVE=true, TEST env, IssuerProfile.enabled=true)
  2. Assert HTTP 200 + non-null documentId received and persisted in DB
  3. Assert GCS object exists and SHA-256(GCS bytes) == xml_sha256_hex from DB
  4. Trigger poll; assert status transitions (PENDING → ACCEPTED on TEST env)
  5. Verify status and XML download routes
  6. Security checks: wrong orgId → 404; already SUBMITTED → 409; invalid OIB → 422; unauthenticated → 401
  7. Rate limit: 101st submit → 429
  8. Audit: LoggedAction row present with correct event, no PII in values
  9. Verify zero retry attempts on sendDocument() via structured log count

Acceptance criteria (PASS/FAIL; no partial credit): Real sveRačun TEST HTTP 200 + documentId. GCS object written and SHA-256 verified. All security checks return expected codes. No PII in LoggedAction. Zero retries on send. No StorecoveHrFisk references in deployed artifact.

WP7 — BookStack Documentation

Owner: Skillforge | Depends on: WP6 (Proveo validation passed)

  1. This ADR page (published)
  2. BookStack page: "HR eRačun — Prod Prerequisites Checklist" (Bilko book, Legal & Compliance chapter) — B1/B2 legal track, Phase 2C RLS activation gate, GCS LOCK command, PostLink posrednik contract steps, Securion gate checklist

6. Open Questions for PostLink (Zachariadis Carry-Forward)

Must be answered before any production activation. Parked in the prod track.

#Question
Q1Posrednik / Intermediary Model: Does sveRačun support an intermediary registration where a single API key holder (Bilko) is authorised to submit on behalf of multiple sender OIBs? If yes: is registration self-service via API or manual per-sender?
Q2companyVatNumber Header Semantics: The existing API separates Authorization (API key) from companyVatNumber (sender OIB). Is this header already the posrednik mechanism, or is etapa-1 currently hardcoded to reject unless the two match?
Q3PROD API Credentials: Rate limits on PROD vs TEST. Is the PROD auth scheme identical? Is there a staging environment with real OIBs but test FINA fiscalization path?
Q4Fiscalization Identifier: When FISCALIZATION:OK is returned, does the response body include a FINA fiscal identifier (ZKI/JIR equivalent)? Field name? Must Bilko store and display it?
Q5REJECTION_REPORT Payload: What structured data is in FISCALIZATION_REJECTION_REPORT? Rejection reason code and free text?
Q6Document Retrieval API: Does sveRačun provide a GET /documents/{id}/download endpoint? Critical for SUBMIT_UNCERTAIN reconciliation path.
Q7List by Sender Reference: Can Bilko query sveRačun for all documents submitted by sender OIB X in the last N hours? Required for SUBMIT_UNCERTAIN reconciliation when no documentId was received.
Q8Norwegian Entity Eligibility (B1): Is ALAI Holding AS (Norwegian org.nr, holding HR OIB HR91276104352) eligible as a platform intermediary under PostLink's terms?
Q9Pricing: Per-document pricing for an intermediary platform account. Setup fee per registered sender OIB.

7. Risk Register

RiskProbabilityImpactMitigation
Crash between HTTP 200 and AFTER tx (Kleppmann §5)Low (Cloud Run reliability)CRITICALClarify Q7 (list-by-reference API) with PostLink. Admin recovery endpoint in WP2 as fallback. Document the gap explicitly.
sveRačun TEST API unreliable during demoMediumHIGHSUBMIT_UNCERTAIN state is representable; demo recovery endpoint allows operator to manually enter docId. Brief the demo presenter.
UNIQUE(invoice_id) constraint blocks a legitimate re-send after REJECTEDLow (by design)LowService layer must support soft-delete of REJECTED row + insert of new row with new fiscal number + incremented attempt_seq. Document the re-send flow.
GCS write fails between number allocation and HTTP callLowMEDIUMIf GCS write fails, rollback DB insert. Number is consumed (non-returnable per B5) but absence of submission row signals no send occurred.
Phase 2C RLS not activated before multi-tenant prodCertain (currently PERMISSIVE)CRITICAL for multi-tenantSecurion prod gate checklist (WP7 BookStack). Block prod activation on this item.
PostLink posrednik contract takes longer than expectedHigh (legal/commercial)HIGH for multi-tenant; LOW for demoDemo runs DIRECT mode; no contract required. Architecture does not change.
sveRačun PROD base URL differs in auth schemeUnknownMEDIUMQ3 to PostLink. The baseUrlOverride + apiKeyOverride parameters allow runtime configuration without code change.
Double-fiscal number if FOR UPDATE not atomic in pgBouncerMedium without careCRITICALUse hr_einvoice_number_counters counter table with SELECT ... FOR UPDATE inside a transaction. pgBouncer transaction pooling mode is fine for FOR UPDATE (released at COMMIT).
Developer accidentally wires env-var path instead of IssuerProfileMediumHIGHThe serialize() signature change (WP1) removes httpClient.configuredSenderVat call; senderOib parameter is required (non-nullable). Caught at compile time.

8. Parked Items (Separate Strategic Decision Required)

9. Architectural Decisions Log (Conflict Resolutions)

State name: ACCEPTED vs APPROVED (Kleppmann vs Momjian).
Kleppmann uses ACCEPTED; Momjian uses APPROVED. Decision: DB column and CHECK constraint use ACCEPTED. EInvoiceStatus.APPROVED remains the adapter-interface value (matches existing interface); service translates to ACCEPTED when writing to DB. Rationale: ACCEPTED matches common EU e-invoicing terminology; APPROVED is the accounting approval concept (different thing).

Archive timing: at NUMBER_RESERVED vs at ACCEPTED (Tabriz vs Momjian).
Tabriz: write XML to GCS inside BEFORE transaction. Momjian: archive only after ACCEPTED. Decision: write XML bytes to GCS at NUMBER_RESERVED (Tabriz wins). Create hr_einvoice_archive integrity manifest row only at ACCEPTED (Momjian wins for the archive table write). Rationale: GCS object = bytes store (available from day one for recovery/audit); archive manifest = compliance record (formalized only when FISCALIZATION:OK confirmed). Both layers required.

SUBMIT_UNCERTAIN: Kleppmann has it; Momjian's original CHECK constraint omits it.
Decision: ADD SUBMIT_UNCERTAIN to V77 CHECK constraint. ADR replaces FAILED (Bilko-internal naming) with SUBMIT_UNCERTAIN (semantically precise for sveRačun poll-only model) and ACCEPTED (aligned with adapter interface). Full CHECK list: NUMBER_RESERVED, SUBMITTED, SUBMIT_UNCERTAIN, PENDING, ACCEPTED, REJECTED. FAILED is retired.

IssuerProfile in DB vs config file (Zachariadis vs simplicity).
Zachariadis recommends DB-backed IssuerProfile for demo. Decision: DB-backed from day one (Momjian V75 table). Rationale: single-row demo config in DB is trivial; gives RLS and audit from the start; is the same code path as multi-tenant production. A config-file implementation would need to be ripped out and replaced.

Petter Graff — Lead Architect, HR eRačun Architecture Team, 2026-06-11
Synthesized from inputs by Martin Kleppmann, Bruce Momjian, Markos Zachariadis, Parisa Tabriz.
MC #103453 (architecture documentation) | MC #103464 (build execution)

Backend

Backend

Backend — Target Architecture

Bilko API — Express Backend

BookStack — Provjeri PRVO

Prije traženja bilo čega — provjeri BookStack (http://localhost:6875). Centralna baza znanja za tools, skills, hooks, agents, rules, projekte, klijente, dokumentaciju. Ako odgovor postoji tamo — NE TRAŽI dalje.

Status: NOT BUILT YET

This directory is EMPTY. The CLAUDE.md describes the target architecture. When building, follow docs/backend/API-REFERENCE.md as the implementation contract.

Target Tech Stack

Route Structure

All routes under /api/v1/{resource}:

Middleware Stack (Order Matters)

  1. helmet — Security headers
  2. cors — CORS with whitelist
  3. express.json() — Body parser
  4. rate-limit — 100 req/15min per IP
  5. auth-guard — JWT validation (protected routes)
  6. zod-validation — Request validation
  7. route-handler — Business logic
  8. error-handler — Centralized error responses

Error Response Format

{
  "error": "Error message",
  "code": "ERROR_CODE",
  "details": {} // optional
}

HTTP Status Codes:

Database Access

Authentication

Validation Rules

All requests validated with Zod schemas:

Double-Entry Rules (CRITICAL)

Every financial transaction MUST:

  1. Have both debit and credit accounts
  2. Equal amounts (debit = credit)
  3. Reference the source (invoice ID, expense ID)
  4. Lock exchange rate at transaction date
  5. Create audit log entry (LoggedAction)

Development Rules

  1. NEVER hold money — This is an accounting tool, not a payment processor
  2. Immutable transactions — Once locked, NEVER modify
  3. Audit everything — All mutations logged to LoggedAction
  4. Multi-currency always — Even single-currency orgs need exchange rate support
  5. Test with real accounting scenarios — Invoice → payment → reconciliation

API Reference

Full endpoint documentation in docs/backend/API-REFERENCE.md (to be created). This file will be the contract for implementation.

Backend

Database — Schema & Models

Bilko Database — Prisma + PostgreSQL

BookStack — Provjeri PRVO

Prije traženja bilo čega — provjeri BookStack (http://localhost:6875). Centralna baza znanja za tools, skills, hooks, agents, rules, projekte, klijente, dokumentaciju. Ako odgovor postoji tamo — NE TRAŽI dalje.

Schema Location

prisma/schema.prisma — 15 models, fully defined

Database Models (15)

Core:

Chart of Accounts:

Contacts:

Invoicing:

Expenses:

Transactions:

Banking:

Multi-Currency:

Audit:

Key Design Decisions

1. NUMERIC(19,4) for Money

NEVER use float or JavaScript number for currency.

2. Double-Entry Bookkeeping

Every financial event creates a Transaction with:

3. Multi-Currency with Rate Locking

4. Immutable Audit Trail

LoggedAction table:

5. Transaction Locking

6. Organization-Scoped Multi-Tenancy

7. UUID Primary Keys

Migration Rules

  1. Never edit existing migrations — Always create new ones
  2. Test migrations on copy — Never run on production first
  3. Backward compatible — Additive changes only
  4. Data migrations separate — Use Prisma seed or custom scripts
  5. Rollback plan — Document how to undo breaking changes

Naming Conventions

Indexes

Defined for:

Enums

Development Commands

# Generate Prisma Client
npx prisma generate

# Create migration
npx prisma migrate dev --name migration_name

# Apply migrations (production)
npx prisma migrate deploy

# Reset database (dev only)
npx prisma migrate reset

# Open Prisma Studio
npx prisma studio

Critical Rules

  1. NUMERIC for money — NEVER float
  2. Double-entry enforced — Every transaction has debit + credit
  3. Exchange rates locked — At transaction date, NEVER recalculate
  4. Audit is append-only — NEVER delete LoggedAction records
  5. UUID everywhere — NEVER expose auto-increment IDs
Backend

API Reference

Bilko API Reference

Status: SPECIFICATION (backend not implemented) Base URL: http://localhost:4000/api/v1 (development) Production URL: https://api.bilko.io/api/v1 Last updated: 2026-02-20

Purpose

This document is the implementation contract for Bilko's backend. All ~35 endpoints are specified with:

CRITICAL: Backend is NOT BUILT. This is the spec that apps/api/ MUST implement.

Table of Contents

  1. Authentication (5 endpoints)
  2. Organization (2 endpoints)
  3. Users (4 endpoints)
  4. Contacts (5 endpoints)
  5. Invoices (8 endpoints)
  6. Expenses (6 endpoints)
  7. Bank Accounts (4 endpoints)
  8. Reports (7 endpoints)
  9. Chart of Accounts (3 endpoints)
  10. Transactions (2 endpoints)
  11. Settings (2 endpoints)
  12. Currencies (2 endpoints)

Total: 50 endpoints

API Architecture Overview

graph LR
    subgraph CLIENT [Client]
        FE[Next.js Frontend\nbilko.io:3000]
    end

    subgraph API [Express API — api.bilko.io:4000]
        AUTH_R[/auth/*\nPublic]
        ORG_R[/organization\nAll roles]
        USR_R[/users/*\nowner, admin]
        CON_R[/contacts/*\nAll roles]
        INV_R[/invoices/*\nAll roles]
        EXP_R[/expenses/*\nAll roles]
        BANK_R[/bank-accounts/*\nAll roles]
        RPT_R[/reports/*\nAll roles]
        ACC_R[/accounts/*\nAll roles]
        TXN_R[/transactions/*\nAll roles]
        SET_R[/settings/*\nowner, admin]
        CUR_R[/currencies\nAll roles]
    end

    FE -->|Bearer token\nin Authorization header| API
    FE -->|refreshToken\nhttpOnly cookie| AUTH_R

    style AUTH_R fill:#e2e8f0,color:#000
    style FE fill:#00E5A0,color:#000

Global Response Patterns

Pagination

All list endpoints support pagination:

interface PaginatedResponse<T> {
  data: T[]
  meta: {
    total: number        // Total records
    page: number         // Current page (1-indexed)
    perPage: number      // Records per page
    totalPages: number   // Total pages
  }
}

Query parameters:

Error Responses

interface ApiError {
  error: string                         // Human-readable error message
  code: string                          // Machine-readable error code
  details?: Record<string, string[]>    // Field-level validation errors
}

HTTP Status Codes:

1. Authentication

POST /api/v1/auth/register

Create new organization and owner user.

Auth: None Rate limit: 5 req/min

Request:

interface RegisterRequest {
  // Organization
  organizationName: string
  country: 'RS' | 'BA' | 'HR'        // Serbia, BiH, Croatia
  baseCurrency: 'EUR' | 'RSD' | 'BAM' | 'HRK'
  language: 'sr' | 'bs' | 'hr'
  registrationNumber?: string         // Company tax ID
  vatNumber?: string

  // User
  email: string                       // Must be unique
  password: string                    // Min 8 chars, 1 upper, 1 lower, 1 number
  fullName: string
}

Response (201):

interface RegisterResponse {
  user: {
    id: string
    email: string
    fullName: string
    role: 'owner'
  }
  organization: {
    id: string
    name: string
    country: string
    baseCurrency: string
  }
  tokens: {
    accessToken: string      // JWT, expires in 15 min
    refreshToken: string     // Expires in 7 days
  }
}

Errors:

POST /api/v1/auth/login

Authenticate with email + password.

Auth: None Rate limit: 5 req/min

Request:

interface LoginRequest {
  email: string
  password: string
  rememberMe?: boolean     // If true, refreshToken expires in 30 days
}

Response (200):

interface LoginResponse {
  user: {
    id: string
    email: string
    fullName: string
    role: 'owner' | 'admin' | 'accountant' | 'viewer'
    organizationId: string
    organizationName: string
  }
  tokens: {
    accessToken: string      // JWT, expires in 15 min
    refreshToken: string     // httpOnly cookie
  }
}

Errors:

POST /api/v1/auth/refresh

Get new access token using refresh token.

Auth: Refresh token (httpOnly cookie) Rate limit: 100 req/min

Request: None (uses cookie)

Response (200):

interface RefreshResponse {
  accessToken: string
}

Errors:

POST /api/v1/auth/logout

Invalidate refresh token.

Auth: Bearer token Rate limit: 100 req/min

Request: None

Response (204): No content

GET /api/v1/auth/me

Get current user info.

Auth: Bearer token Rate limit: 100 req/min

Response (200):

interface CurrentUser {
  id: string
  email: string
  fullName: string
  role: 'owner' | 'admin' | 'accountant' | 'viewer'
  twoFactorEnabled: boolean
  lastLoginAt: string | null
  organization: {
    id: string
    name: string
    country: string
    baseCurrency: string
    language: string
  }
}

2. Organization

GET /api/v1/organization

Get organization details.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

interface Organization {
  id: string
  name: string
  registrationNumber: string | null
  vatNumber: string | null
  baseCurrency: string
  country: string
  language: string
  fiscalYearStart: string    // ISO date, e.g., "2026-01-01"
  createdAt: string
  updatedAt: string
}

PUT /api/v1/organization

Update organization details.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface UpdateOrganizationRequest {
  name?: string
  registrationNumber?: string
  vatNumber?: string
  baseCurrency?: 'EUR' | 'RSD' | 'BAM' | 'HRK'
  language?: 'sr' | 'bs' | 'hr'
  fiscalYearStart?: string    // ISO date
}

Response (200): Organization object (same as GET)

Errors:

3. Users

GET /api/v1/users

List all users in organization.

Auth: Bearer token Roles: owner, admin Rate limit: 100 req/min

Query:

Response (200):

interface UserListResponse {
  data: Array<{
    id: string
    email: string
    fullName: string
    role: 'owner' | 'admin' | 'accountant' | 'viewer'
    twoFactorEnabled: boolean
    lastLoginAt: string | null
    createdAt: string
  }>
}

POST /api/v1/users/invite

Invite new user to organization.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface InviteUserRequest {
  email: string
  fullName: string
  role: 'admin' | 'accountant' | 'viewer'    // Cannot create 'owner'
}

Response (201):

interface InviteUserResponse {
  user: {
    id: string
    email: string
    fullName: string
    role: string
  }
  inviteLink: string    // One-time setup link, expires in 7 days
}

Errors:

PUT /api/v1/users/:id/role

Change user role.

Auth: Bearer token Roles: owner Rate limit: 10 req/min

Request:

interface ChangeRoleRequest {
  role: 'admin' | 'accountant' | 'viewer'
}

Response (200): User object

Errors:

DELETE /api/v1/users/:id

Remove user from organization.

Auth: Bearer token Roles: owner Rate limit: 10 req/min

Response (204): No content

Errors:

4. Contacts

GET /api/v1/contacts

List contacts (customers/vendors).

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

type ContactListResponse = PaginatedResponse<Contact>

interface Contact {
  id: string
  type: 'customer' | 'vendor' | 'both'
  name: string
  email: string | null
  phone: string | null
  registrationNumber: string | null
  vatNumber: string | null
  addressLine1: string | null
  addressLine2: string | null
  city: string | null
  postalCode: string | null
  country: string | null
  currencyCode: string
  paymentTerms: number           // Days
  isActive: boolean
  createdAt: string
  updatedAt: string
}

POST /api/v1/contacts

Create new contact.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request:

interface CreateContactRequest {
  type: 'customer' | 'vendor' | 'both'
  name: string
  email?: string
  phone?: string
  registrationNumber?: string
  vatNumber?: string
  addressLine1?: string
  addressLine2?: string
  city?: string
  postalCode?: string
  country?: string               // ISO 3166-1 alpha-2 (e.g., 'RS')
  currencyCode?: string          // ISO 4217 (default: org baseCurrency)
  paymentTerms?: number          // Default: 30 days
  notes?: string
}

Response (201): Contact object

Errors:

GET /api/v1/contacts/:id

Get contact details.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200): Contact object + notes field

PUT /api/v1/contacts/:id

Update contact.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request: Same as CreateContactRequest (all fields optional)

Response (200): Contact object

DELETE /api/v1/contacts/:id

Soft-delete contact (sets isActive = false).

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Response (204): No content

Errors:

5. Invoices

GET /api/v1/invoices

List invoices.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

type InvoiceListResponse = PaginatedResponse<InvoiceSummary>

interface InvoiceSummary {
  id: string
  invoiceNumber: string
  customerId: string
  customerName: string
  invoiceDate: string
  dueDate: string
  currencyCode: string
  totalAmount: string         // Decimal as string, e.g., "125000.0000"
  status: 'draft' | 'sent' | 'viewed' | 'paid' | 'overdue' | 'cancelled'
  createdAt: string
}

Invoice Creation — Full Sequence

sequenceDiagram
    participant FE as Frontend
    participant MW as Middleware Stack\n(auth, roleGuard, validate)
    participant H as Invoice Handler
    participant DB as PostgreSQL\n(Prisma)
    participant EX as Exchange Rate\nService

    FE->>MW: POST /api/v1/invoices\nAuthorization: Bearer {accessToken}
    MW->>MW: authGuard: verify JWT\nAttach req.user {id, role, orgId}
    MW->>MW: roleGuard: check owner/admin/accountant
    MW->>MW: validate(createInvoiceSchema)\ncustomerId UUID, dates, items[]

    MW->>H: Validated request
    H->>DB: Find Contact by customerId\nwhere orgId matches
    DB-->>H: Contact { email, currencyCode }

    H->>EX: getExchangeRate(invoiceCurrency, orgBaseCurrency, invoiceDate)
    EX-->>H: rate (locked at invoiceDate — NEVER changes)

    H->>H: Calculate:\nlineTotal = qty × unitPrice\ntaxAmount = SUM(lineTotal × taxRate/100)\ntotalAmount = subtotal + taxAmount - discount\nbaseAmount = totalAmount × exchangeRate

    H->>DB: BEGIN TRANSACTION\nGenerate invoiceNumber INV-YYYY-NNN\nINSERT Invoice { status: draft }\nINSERT InvoiceItems[]

    DB-->>H: Invoice created
    H->>DB: INSERT LoggedAction\n{ action: INSERT, tableName: Invoice }
    DB-->>H: Logged

    H->>FE: 201 Created\n{ id, invoiceNumber, status: draft, items, totals }

POST /api/v1/invoices

Create invoice.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request:

interface CreateInvoiceRequest {
  customerId: string
  invoiceDate: string           // ISO date
  dueDate: string               // ISO date
  currencyCode?: string         // Default: customer's currency
  items: Array<{
    description: string
    quantity: number            // Decimal as number
    unitPrice: number           // Decimal as number
    taxRate: number             // Percentage, e.g., 20 for 20%
    accountId?: string          // Revenue account
  }>
  notes?: string
  terms?: string
}

Response (201):

interface Invoice {
  id: string
  invoiceNumber: string         // Auto-generated
  customerId: string
  customerName: string
  invoiceDate: string
  dueDate: string
  currencyCode: string
  exchangeRate: string          // Decimal as string
  subtotal: string
  taxAmount: string
  discountAmount: string
  totalAmount: string
  baseAmount: string            // Converted to org baseCurrency
  status: 'draft'
  items: Array<{
    id: string
    lineNumber: number
    description: string
    quantity: string
    unitPrice: string
    taxRate: string
    lineTotal: string
    accountId: string | null
  }>
  notes: string | null
  terms: string | null
  pdfUrl: string | null
  createdBy: string
  createdAt: string
  updatedAt: string
}

Errors:

GET /api/v1/invoices/:id

Get invoice details.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200): Invoice object (same as POST response)

PUT /api/v1/invoices/:id

Update invoice (draft only).

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request: Same as CreateInvoiceRequest

Response (200): Invoice object

Errors:

Invoice Status Transition — Send Flow

sequenceDiagram
    participant FE as Frontend
    participant API as Bilko API
    participant PDF as Puppeteer\nPDF Service
    participant R2 as Cloudflare R2
    participant SG as SendGrid
    participant DB as PostgreSQL

    FE->>API: PATCH /invoices/:id/status\n{ action: "send" }
    API->>DB: Fetch Invoice with items, customer, org
    DB-->>API: Invoice (must be status=draft)
    API->>PDF: generateInvoicePDF(invoice data)
    PDF-->>API: PDF Buffer

    API->>R2: PUT invoices/{orgId}/INV-2026-001.pdf
    R2-->>API: pdfUrl stored

    API->>DB: BEGIN TRANSACTION
    API->>DB: INSERT Transaction {\n  DR: Accounts Receivable (1200)\n  CR: Revenue (4000)\n  amount: invoice.totalAmount\n  referenceType: 'invoice'\n}
    API->>DB: UPDATE Invoice SET\n  status='sent', sentAt=now()\n  pdfUrl=url

    API->>SG: sendEmail({\n  to: customer.email,\n  subject: "Invoice INV-2026-001 from Org",\n  html: template,\n  attachment: pdf\n})
    SG-->>API: { messageId }

    DB-->>API: COMMIT

    API->>FE: 200 { status: sent, sentAt, pdfUrl }

    Note over API: If SendGrid fails:\nKeep invoice as draft\nAdd note: "Email delivery failed"\nAlert admin via Slack

PATCH /api/v1/invoices/:id/status

Change invoice status.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request:

interface ChangeInvoiceStatusRequest {
  action: 'send' | 'mark-paid' | 'cancel'
  paidAt?: string               // Required if action = 'mark-paid'
}

Response (200): Invoice object

Business logic:

Errors:

GET /api/v1/invoices/:id/pdf

Get invoice PDF.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

Errors:

POST /api/v1/invoices/:id/send

Send invoice email to customer.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 10 req/min

Request:

interface SendInvoiceRequest {
  to?: string                   // Override customer email
  cc?: string[]
  subject?: string              // Override default subject
  message?: string              // Custom message
}

Response (200):

interface SendInvoiceResponse {
  sentAt: string
  sentTo: string
  emailId: string               // SendGrid message ID
}

Errors:

6. Expenses

GET /api/v1/expenses

List expenses.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

type ExpenseListResponse = PaginatedResponse<ExpenseSummary>

interface ExpenseSummary {
  id: string
  expenseNumber: string
  vendorId: string | null
  vendorName: string | null
  expenseDate: string
  category: string
  amount: string
  currencyCode: string
  status: 'pending' | 'approved' | 'paid' | 'rejected'
  receiptUrl: string | null
  createdAt: string
}

POST /api/v1/expenses

Create expense.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request:

interface CreateExpenseRequest {
  vendorId?: string
  expenseDate: string
  category: string              // Free text or predefined categories
  amount: number
  currencyCode?: string         // Default: org baseCurrency
  taxAmount?: number
  paymentMethod?: string        // 'cash', 'card', 'bank_transfer', etc.
  accountId?: string            // Expense account
  description?: string
  receiptFile?: File            // Multipart form upload (max 10MB)
}

Response (201):

interface Expense {
  id: string
  expenseNumber: string         // Auto-generated
  vendorId: string | null
  vendorName: string | null
  expenseDate: string
  category: string
  currencyCode: string
  exchangeRate: string
  amount: string
  baseAmount: string
  taxAmount: string
  paymentMethod: string | null
  accountId: string | null
  description: string | null
  receiptUrl: string | null     // Cloudflare R2 URL
  status: 'pending'
  createdBy: string
  createdAt: string
  updatedAt: string
}

Errors:

GET /api/v1/expenses/:id

Get expense details.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200): Expense object

PUT /api/v1/expenses/:id

Update expense (pending only).

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 50 req/min

Request: Same as CreateExpenseRequest

Response (200): Expense object

Errors:

Expense Approval — Full Sequence

sequenceDiagram
    participant FE as Frontend\n(admin/owner)
    participant MW as Middleware Stack
    participant H as Expense Handler
    participant DB as PostgreSQL

    FE->>MW: PATCH /api/v1/expenses/:id/approve\nAuthorization: Bearer {accessToken}
    MW->>MW: authGuard: verify JWT
    MW->>MW: roleGuard: owner or admin ONLY\n(accountant CANNOT approve)

    MW->>H: Request passes
    H->>DB: Find Expense by id\nwhere organizationId = req.orgId
    DB-->>H: Expense { status: pending, amount, accountId }

    H->>H: Validate: status must be 'pending'\nIf not → 400 Bad Request

    H->>DB: BEGIN TRANSACTION

    H->>DB: Find ExpenseAccount\n(expense.accountId or default 5xxx)
    H->>DB: Find AccountsPayable account\n(2110 or configured account)

    H->>DB: INSERT Transaction {\n  debitAccountId: expenseAccountId,\n  creditAccountId: accountsPayableId,\n  amount: expense.amount,\n  referenceType: 'expense',\n  referenceId: expense.id\n}

    H->>DB: UPDATE Expense SET\n  status='approved',\n  approvedBy=req.user.id,\n  approvedAt=now()

    H->>DB: INSERT LoggedAction

    DB-->>H: COMMIT

    H->>FE: 200 OK\n{ id, status: approved, approvedBy, approvedAt }

PATCH /api/v1/expenses/:id/approve

Approve expense.

Auth: Bearer token Roles: owner, admin Rate limit: 50 req/min

Response (200): Expense object (status = approved)

Business logic:

Errors:

DELETE /api/v1/expenses/:id

Delete expense (pending only).

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Response (204): No content

Errors:

7. Bank Accounts

GET /api/v1/bank-accounts

List bank accounts.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

interface BankAccountListResponse {
  data: Array<{
    id: string
    accountId: string           // GL account ID
    accountCode: string         // GL account code
    bankName: string
    accountNumber: string | null
    iban: string | null
    currencyCode: string
    currentBalance: string
    isActive: boolean
    createdAt: string
    updatedAt: string
  }>
}

POST /api/v1/bank-accounts

Create bank account.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface CreateBankAccountRequest {
  accountId: string             // Must be Asset account
  bankName: string
  accountNumber?: string
  iban?: string
  currencyCode: string
  currentBalance?: number       // Default: 0
}

Response (201): BankAccount object

Errors:

GET /api/v1/bank-accounts/:id/transactions

Get bank transactions.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

type BankTransactionListResponse = PaginatedResponse<BankTransaction>

interface BankTransaction {
  id: string
  transactionDate: string
  amount: string                // Positive = credit, negative = debit
  description: string | null
  reference: string | null
  reconciled: boolean
  matchedTransactionId: string | null
  createdAt: string
}

POST /api/v1/bank-accounts/:id/import

Import bank statement (CSV).

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 10 req/min

Request:

CSV format:

Date,Description,Amount,Reference
2026-02-19,"Payment from customer",3500.00,INV-2026-002
2026-02-18,"AWS Invoice",-850.00,

Response (200):

interface ImportStatementResponse {
  imported: number
  duplicates: number
  errors: Array<{
    line: number
    error: string
  }>
}

Errors:

Bank Reconciliation — Full Sequence

sequenceDiagram
    participant FE as Frontend
    participant API as Bilko API
    participant DB as PostgreSQL

    Note over FE,DB: Step 1 — Import Bank Statement
    FE->>API: POST /bank-accounts/:id/import\n[multipart: CSV file, max 5MB]
    API->>API: Parse CSV\nDate, Description, Amount, Reference
    API->>DB: INSERT BankTransaction[] records\n{ bankAccountId, transactionDate, amount, reference }
    DB-->>API: Imported count
    API->>FE: 200 { imported: 45, duplicates: 2, errors: [] }

    Note over FE,DB: Step 2 — Auto-Match Suggestions
    FE->>API: GET /bank-accounts/:id/transactions?reconciled=false
    API->>DB: Fetch unreconciled BankTransactions
    DB-->>API: BankTransaction[]
    API->>DB: Fetch unreconciled GL Transactions\nfor same date range
    DB-->>API: Transaction[]
    API->>API: calculateMatchScore() for each pair\nAmount match +50\nDate match +30/+20/+10\nReference match +20
    API->>FE: 200 { bankTransactions, suggestions[{ bankTxId, glTxId, score }] }

    Note over FE,DB: Step 3 — Confirm Reconciliation
    FE->>API: POST /bank-accounts/:id/reconcile\n{ bankTransactionId, transactionId }
    API->>DB: Find both records, verify same org
    API->>DB: UPDATE BankTransaction SET\n  reconciled=true\n  matchedTransactionId=glTxId
    API->>DB: UPDATE Transaction SET\n  reconciled=true\n  reconciledAt=now()
    DB-->>API: Both updated
    API->>FE: 200 { bankTransaction, transaction, confidence: 95 }

POST /api/v1/bank-accounts/:id/reconcile

Reconcile bank transactions with GL transactions.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 10 req/min

Request:

interface ReconcileRequest {
  bankTransactionId: string
  transactionId: string         // GL transaction ID
}

Response (200):

interface ReconcileResponse {
  bankTransaction: BankTransaction
  transaction: Transaction
  confidence: number            // 0-100 match score
}

Errors:

8. Reports

GET /api/v1/reports/dashboard

Get dashboard metrics.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

interface DashboardMetrics {
  cashBalance: string           // Total across all bank accounts (in baseCurrency)
  revenueMTD: string            // Month-to-date revenue
  unpaidInvoices: string        // Total unpaid invoices
  expensesMTD: string           // Month-to-date expenses
  profitMTD: string             // revenueMTD - expensesMTD
  cashFlowChange: number        // Percentage change from last month

  // Chart data
  monthlyPL: Array<{
    month: string
    revenue: string
    expenses: string
    profit: string
  }>

  receivablesAging: {
    current: string             // 0-30 days
    days30: string              // 31-60 days
    days60: string              // 61-90 days
    days90plus: string          // 90+ days
  }

  expensesByCategory: Array<{
    category: string
    amount: string
    currencyCode: string
  }>
}

GET /api/v1/reports/profit-loss

Profit & Loss statement.

Auth: Bearer token Roles: All Rate limit: 50 req/min

Query:

Response (200):

interface ProfitLossReport {
  period: {
    from: string
    to: string
  }
  baseCurrency: string

  revenue: {
    total: string
    accounts: Array<{
      accountCode: string
      accountName: string
      amount: string
    }>
  }

  expenses: {
    total: string
    accounts: Array<{
      accountCode: string
      accountName: string
      amount: string
    }>
  }

  netProfit: string             // revenue.total - expenses.total
}

GET /api/v1/reports/balance-sheet

Balance Sheet.

Auth: Bearer token Roles: All Rate limit: 50 req/min

Query:

Response (200):

interface BalanceSheetReport {
  asOfDate: string
  baseCurrency: string

  assets: {
    total: string
    current: {
      total: string
      accounts: Array<AccountBalance>
    }
    fixed: {
      total: string
      accounts: Array<AccountBalance>
    }
  }

  liabilities: {
    total: string
    current: {
      total: string
      accounts: Array<AccountBalance>
    }
    longTerm: {
      total: string
      accounts: Array<AccountBalance>
    }
  }

  equity: {
    total: string
    accounts: Array<AccountBalance>
  }
}

interface AccountBalance {
  accountCode: string
  accountName: string
  balance: string
}

GET /api/v1/reports/cash-flow

Cash Flow statement.

Auth: Bearer token Roles: All Rate limit: 50 req/min

Query:

Response (200):

interface CashFlowReport {
  period: {
    from: string
    to: string
  }
  baseCurrency: string

  operating: {
    total: string
    items: Array<{
      description: string
      amount: string
    }>
  }

  investing: {
    total: string
    items: Array<{
      description: string
      amount: string
    }>
  }

  financing: {
    total: string
    items: Array<{
      description: string
      amount: string
    }>
  }

  netCashFlow: string
  openingBalance: string
  closingBalance: string
}

GET /api/v1/reports/vat

VAT/PDV report.

Auth: Bearer token Roles: All Rate limit: 50 req/min

Query:

Response (200):

interface VATReport {
  period: {
    from: string
    to: string
  }
  country: string               // Organization country

  outputVAT: {
    total: string
    invoices: Array<{
      invoiceNumber: string
      customerName: string
      invoiceDate: string
      baseAmount: string
      vatAmount: string
      vatRate: string
    }>
  }

  inputVAT: {
    total: string
    expenses: Array<{
      expenseNumber: string
      vendorName: string
      expenseDate: string
      baseAmount: string
      vatAmount: string
      vatRate: string
    }>
  }

  netVAT: string                // outputVAT.total - inputVAT.total

  reconciliationStatus: {
    allInvoicesPaid: boolean
    allExpensesApproved: boolean
    unmatchedTransactions: number
  }
}

GET /api/v1/reports/trial-balance

Trial Balance.

Auth: Bearer token Roles: All Rate limit: 50 req/min

Query:

Response (200):

interface TrialBalanceReport {
  asOfDate: string
  baseCurrency: string

  accounts: Array<{
    accountCode: string
    accountName: string
    accountType: string
    debitTotal: string
    creditTotal: string
    balance: string
  }>

  totals: {
    debit: string
    credit: string
  }

  balanced: boolean             // totals.debit === totals.credit
}

9. Chart of Accounts

GET /api/v1/accounts

List chart of accounts.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

interface AccountListResponse {
  data: Array<{
    id: string
    code: string                // e.g., "1000", "4000"
    name: string                // e.g., "Bank Account EUR", "Revenue"
    accountTypeId: number
    accountTypeName: string     // Asset, Liability, Equity, Revenue, Expense
    normalBalance: 'debit' | 'credit'
    currencyCode: string
    parentAccountId: string | null
    parentAccountCode: string | null
    isActive: boolean
    currentBalance: string      // Calculated from transactions
    createdAt: string
    updatedAt: string
  }>
}

POST /api/v1/accounts

Create account.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface CreateAccountRequest {
  code: string                  // Must be unique within organization
  name: string
  accountTypeId: number         // 1-5 (Asset, Liability, Equity, Revenue, Expense)
  currencyCode?: string         // Default: org baseCurrency
  parentAccountId?: string      // For sub-accounts
}

Response (201): Account object

Errors:

PUT /api/v1/accounts/:id

Update account.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface UpdateAccountRequest {
  name?: string
  isActive?: boolean
}

Response (200): Account object

Errors:

10. Transactions

GET /api/v1/transactions

List general ledger transactions.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

type TransactionListResponse = PaginatedResponse<Transaction>

interface Transaction {
  id: string
  transactionDate: string
  description: string
  debitAccountId: string
  debitAccountCode: string
  debitAccountName: string
  creditAccountId: string
  creditAccountCode: string
  creditAccountName: string
  amount: string
  currencyCode: string
  exchangeRate: string
  baseAmount: string
  referenceType: string | null
  referenceId: string | null
  locked: boolean
  reconciled: boolean
  createdBy: string
  createdAt: string
}

POST /api/v1/transactions

Create manual journal entry.

Auth: Bearer token Roles: owner, admin, accountant Rate limit: 20 req/min

Request:

interface CreateTransactionRequest {
  transactionDate: string
  description: string
  debitAccountId: string
  creditAccountId: string
  amount: number
  currencyCode?: string         // Default: org baseCurrency
  notes?: string
}

Response (201): Transaction object

Errors:

11. Settings

GET /api/v1/settings/tax-rates

Get tax rate configuration.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

interface TaxRatesResponse {
  country: string
  defaultVATRate: number        // e.g., 20 for Serbia, 17 for BiH
  rates: Array<{
    name: string                // "Standard", "Reduced", "Zero"
    rate: number
    description: string
  }>
}

PUT /api/v1/settings/tax-rates

Update tax rate configuration.

Auth: Bearer token Roles: owner, admin Rate limit: 10 req/min

Request:

interface UpdateTaxRatesRequest {
  defaultVATRate: number
  rates: Array<{
    name: string
    rate: number
    description: string
  }>
}

Response (200): TaxRatesResponse

12. Currencies

GET /api/v1/currencies

List supported currencies.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Response (200):

interface CurrencyListResponse {
  data: Array<{
    code: string                // ISO 4217
    name: string
    symbol: string | null
    decimalPlaces: number
    isActive: boolean
  }>
}

GET /api/v1/exchange-rates

Get exchange rates.

Auth: Bearer token Roles: All Rate limit: 100 req/min

Query:

Response (200):

interface ExchangeRateResponse {
  baseCurrency: string
  targetCurrency: string
  rate: string                  // Decimal as string
  effectiveDate: string
  source: string                // "ECB", "fixer.io", "manual"
  lastUpdated: string
}

Errors:

Endpoint Summary Map

graph TD
    subgraph AUTH [Authentication — No auth required]
        A1[POST /auth/register]
        A2[POST /auth/login]
        A3[POST /auth/refresh]
        A4[POST /auth/logout]
        A5[GET /auth/me]
    end

    subgraph ORG [Organization]
        O1[GET /organization]
        O2[PUT /organization]
    end

    subgraph USR [Users]
        U1[GET /users]
        U2[POST /users/invite]
        U3[PUT /users/:id/role]
        U4[DELETE /users/:id]
    end

    subgraph CON [Contacts]
        C1[GET /contacts]
        C2[POST /contacts]
        C3[GET /contacts/:id]
        C4[PUT /contacts/:id]
        C5[DELETE /contacts/:id]
    end

    subgraph INV [Invoices]
        I1[GET /invoices]
        I2[POST /invoices]
        I3[GET /invoices/:id]
        I4[PUT /invoices/:id]
        I5[PATCH /invoices/:id/status]
        I6[GET /invoices/:id/pdf]
        I7[POST /invoices/:id/send]
    end

    subgraph EXP [Expenses]
        E1[GET /expenses]
        E2[POST /expenses]
        E3[GET /expenses/:id]
        E4[PUT /expenses/:id]
        E5[PATCH /expenses/:id/approve]
        E6[DELETE /expenses/:id]
    end

    subgraph BANK [Bank Accounts]
        B1[GET /bank-accounts]
        B2[POST /bank-accounts]
        B3[GET /bank-accounts/:id/transactions]
        B4[POST /bank-accounts/:id/import]
        B5[POST /bank-accounts/:id/reconcile]
    end

    subgraph RPT [Reports]
        R1[GET /reports/dashboard]
        R2[GET /reports/profit-loss]
        R3[GET /reports/balance-sheet]
        R4[GET /reports/cash-flow]
        R5[GET /reports/vat]
        R6[GET /reports/trial-balance]
    end

    subgraph MISC [Other]
        M1[GET /accounts]
        M2[POST /accounts]
        M3[PUT /accounts/:id]
        M4[GET /transactions]
        M5[POST /transactions]
        M6[GET /settings/tax-rates]
        M7[PUT /settings/tax-rates]
        M8[GET /currencies]
        M9[GET /exchange-rates]
    end

Implementation Notes

Request Validation

All requests validated with Zod schemas. Invalid requests return 422 with field-level errors.

Database Transactions

All write operations wrapped in database transactions. Rollback on error.

Audit Logging

All INSERT/UPDATE/DELETE captured in LoggedAction table via Prisma middleware.

Rate Limiting

File Uploads

CORS

Error Logging

Example Requests

Create Invoice

curl -X POST http://localhost:4000/api/v1/invoices \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "customerId": "550e8400-e29b-41d4-a716-446655440000",
    "invoiceDate": "2026-02-20",
    "dueDate": "2026-03-20",
    "items": [
      {
        "description": "Web Development",
        "quantity": 40,
        "unitPrice": 100,
        "taxRate": 20
      }
    ]
  }'

Get Dashboard Metrics

curl http://localhost:4000/api/v1/reports/dashboard \
  -H "Authorization: Bearer $TOKEN"

End of API Reference

Backend

Database Schema

Bilko Database Schema

Status: IMPLEMENTED (Prisma schema exists) Location: /Users/makinja/ALAI/products/Bilko/packages/database/prisma/schema.prisma Database: PostgreSQL 14+ ORM: Prisma 5.x Last updated: 2026-02-20

Purpose

This document describes the complete database schema for Bilko. The schema is IMPLEMENTED in Prisma and ready for migration. This doc explains the relationships, constraints, and design decisions.

Entity Relationship Overview

Organization (1) ──┬── (N) User
                   ├── (N) Account
                   ├── (N) Contact
                   ├── (N) Invoice
                   ├── (N) Expense
                   ├── (N) Transaction
                   └── (N) BankAccount

Contact (1) ────┬── (N) Invoice
                └── (N) Expense

Invoice (1) ──── (N) InvoiceItem

Account (1) ───┬── (N) InvoiceItem
               ├── (N) Expense
               ├── (N) BankAccount
               ├── (N) Transaction (debit)
               ├── (N) Transaction (credit)
               └── (N) Account (parent-child hierarchy)

BankAccount (1) ── (N) BankTransaction

Currency (1) ───┬── (N) ExchangeRate (base)
                └── (N) ExchangeRate (target)

User (1) ───┬── (N) Invoice (creator)
            ├── (N) Expense (creator)
            ├── (N) Expense (approver)
            ├── (N) Transaction (creator)
            └── (N) LoggedAction

Full ER Diagram

erDiagram
    Organization {
        UUID id PK
        VARCHAR name
        VARCHAR registrationNumber
        VARCHAR vatNumber
        CHAR baseCurrency
        CHAR country
        CHAR language
        DATE fiscalYearStart
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    User {
        UUID id PK
        UUID organizationId FK
        VARCHAR email
        VARCHAR passwordHash
        VARCHAR fullName
        ENUM role
        BOOLEAN twoFactorEnabled
        VARCHAR twoFactorSecret
        TIMESTAMP lastLoginAt
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    AccountType {
        INT id PK
        VARCHAR name
        ENUM normalBalance
        TIMESTAMP createdAt
    }

    Account {
        UUID id PK
        UUID organizationId FK
        VARCHAR code
        VARCHAR name
        INT accountTypeId FK
        CHAR currencyCode
        UUID parentAccountId FK
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Contact {
        UUID id PK
        UUID organizationId FK
        ENUM type
        VARCHAR name
        VARCHAR email
        VARCHAR phone
        VARCHAR vatNumber
        VARCHAR addressLine1
        VARCHAR city
        CHAR country
        CHAR currencyCode
        INT paymentTerms
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Invoice {
        UUID id PK
        UUID organizationId FK
        UUID customerId FK
        VARCHAR invoiceNumber
        DATE invoiceDate
        DATE dueDate
        CHAR currencyCode
        DECIMAL exchangeRate
        DECIMAL subtotal
        DECIMAL taxAmount
        DECIMAL discountAmount
        DECIMAL totalAmount
        DECIMAL baseAmount
        ENUM status
        TIMESTAMP sentAt
        TIMESTAMP paidAt
        VARCHAR pdfUrl
        UUID createdBy FK
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    InvoiceItem {
        UUID id PK
        UUID invoiceId FK
        INT lineNumber
        VARCHAR description
        DECIMAL quantity
        DECIMAL unitPrice
        DECIMAL taxRate
        DECIMAL lineTotal
        UUID accountId FK
        TIMESTAMP createdAt
    }

    Expense {
        UUID id PK
        UUID organizationId FK
        UUID vendorId FK
        VARCHAR expenseNumber
        DATE expenseDate
        CHAR currencyCode
        DECIMAL exchangeRate
        DECIMAL amount
        DECIMAL baseAmount
        DECIMAL taxAmount
        VARCHAR category
        VARCHAR paymentMethod
        UUID accountId FK
        ENUM status
        UUID approvedBy FK
        TIMESTAMP approvedAt
        UUID createdBy FK
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    Transaction {
        UUID id PK
        UUID organizationId FK
        DATE transactionDate
        VARCHAR description
        UUID debitAccountId FK
        UUID creditAccountId FK
        DECIMAL amount
        CHAR currencyCode
        DECIMAL exchangeRate
        DECIMAL baseAmount
        VARCHAR referenceType
        UUID referenceId
        BOOLEAN locked
        BOOLEAN reconciled
        UUID createdBy FK
        TIMESTAMP createdAt
    }

    BankAccount {
        UUID id PK
        UUID organizationId FK
        UUID accountId FK
        VARCHAR bankName
        VARCHAR accountNumber
        VARCHAR iban
        CHAR currencyCode
        DECIMAL currentBalance
        BOOLEAN isActive
        TIMESTAMP createdAt
        TIMESTAMP updatedAt
    }

    BankTransaction {
        UUID id PK
        UUID bankAccountId FK
        DATE transactionDate
        DECIMAL amount
        VARCHAR description
        VARCHAR reference
        BOOLEAN reconciled
        UUID matchedTransactionId
        TIMESTAMP createdAt
    }

    Currency {
        CHAR code PK
        VARCHAR name
        VARCHAR symbol
        SMALLINT decimalPlaces
        BOOLEAN isActive
        TIMESTAMP createdAt
    }

    ExchangeRate {
        UUID id PK
        CHAR baseCurrency FK
        CHAR targetCurrency FK
        DECIMAL rate
        DATE effectiveDate
        VARCHAR source
        TIMESTAMP lastUpdated
    }

    LoggedAction {
        BIGINT eventId PK
        TEXT schemaName
        TEXT tableName
        UUID userId FK
        TIMESTAMP actionTimestamp
        ENUM action
        JSONB rowData
        JSONB changedFields
        INET clientIp
    }

    SchemaVersion {
        VARCHAR version PK
        TIMESTAMP appliedAt
        TEXT description
    }

    Organization ||--o{ User : "has"
    Organization ||--o{ Account : "owns"
    Organization ||--o{ Contact : "manages"
    Organization ||--o{ Invoice : "issues"
    Organization ||--o{ Expense : "tracks"
    Organization ||--o{ Transaction : "records"
    Organization ||--o{ BankAccount : "holds"

    User ||--o{ Invoice : "createdBy"
    User ||--o{ Expense : "createdBy"
    User ||--o{ Expense : "approvedBy"
    User ||--o{ Transaction : "createdBy"
    User ||--o{ LoggedAction : "performed"

    AccountType ||--o{ Account : "categorizes"
    Account ||--o{ Account : "parentOf"
    Account ||--o{ InvoiceItem : "revenueAccount"
    Account ||--o{ Expense : "expenseAccount"
    Account ||--o| BankAccount : "glAccount"
    Account ||--o{ Transaction : "debitAccount"
    Account ||--o{ Transaction : "creditAccount"

    Contact ||--o{ Invoice : "customer"
    Contact ||--o{ Expense : "vendor"

    Invoice ||--o{ InvoiceItem : "contains"

    BankAccount ||--o{ BankTransaction : "has"

    Currency ||--o{ ExchangeRate : "base"
    Currency ||--o{ ExchangeRate : "target"

Multi-Tenant Scoping

graph LR
    ORG[Organization\nMulti-tenant Root]

    ORG --> U[Users\nowner/admin/accountant/viewer]
    ORG --> COA[Chart of Accounts\nHierarchical GL]
    ORG --> C[Contacts\nCustomers & Vendors]
    ORG --> INV[Invoices\nOutgoing]
    ORG --> EXP[Expenses\nIncoming]
    ORG --> TXN[Transactions\nDouble-Entry Ledger]
    ORG --> BANK[BankAccounts\nReconciliation]

    INV --> ITEM[InvoiceItems\nLine Items]
    BANK --> BTXN[BankTransactions\nStatement Import]
    TXN --> LOG[LoggedAction\nAudit Trail]

    style ORG fill:#00E5A0,color:#000
    style TXN fill:#ffd700,color:#000

Core Tables

1. Organization

Purpose: Multi-tenant root. Every business is one organization.

Column Type Constraints Description
id UUID PK, default uuid_generate_v4() Primary key
name VARCHAR(255) NOT NULL Business name
registrationNumber VARCHAR(50) NULL Company tax ID
vatNumber VARCHAR(50) NULL VAT registration number
baseCurrency CHAR(3) NOT NULL, default 'EUR' ISO 4217 currency code
country CHAR(2) NOT NULL ISO 3166-1 alpha-2 country code
language CHAR(2) NOT NULL, default 'sr' ISO 639-1 language code
fiscalYearStart DATE NOT NULL, default '2026-01-01' Fiscal year start date
createdAt TIMESTAMP NOT NULL, default now() Record creation timestamp
updatedAt TIMESTAMP NOT NULL, default now() Last update timestamp

Indexes:

Business rules:

2. User

Purpose: Users within an organization. Role-based access control.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL, CASCADE Organization membership
email VARCHAR(255) UNIQUE, NOT NULL Login email
passwordHash VARCHAR(255) NOT NULL bcrypt hash (12 rounds)
fullName VARCHAR(255) NOT NULL Display name
role ENUM NOT NULL owner, admin, accountant, viewer
twoFactorEnabled BOOLEAN NOT NULL, default false 2FA status
twoFactorSecret VARCHAR(255) NULL TOTP secret
lastLoginAt TIMESTAMP NULL Last login timestamp
createdAt TIMESTAMP NOT NULL Account creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Enums:

enum UserRole {
  owner       // Full access, can delete org
  admin       // Can manage users and settings
  accountant  // Can create invoices/expenses
  viewer      // Read-only access
}

Business rules:

Chart of Accounts

Account Hierarchy & Normal Balances

graph TD
    COA[Chart of Accounts]

    COA --> A[1xxx Assets\nnormalBalance: debit]
    COA --> L[2xxx Liabilities\nnormalBalance: credit]
    COA --> E[3xxx Equity\nnormalBalance: credit]
    COA --> R[4xxx Revenue\nnormalBalance: credit]
    COA --> EX[5xxx Expenses\nnormalBalance: debit]

    A --> CA[1100 Current Assets]
    A --> FA[1500 Fixed Assets]
    CA --> Cash[1110 Cash]
    CA --> Bank[1120 Bank Accounts]
    CA --> AR[1200 Accounts Receivable]
    Bank --> B1[1121 Intesa RSD]
    Bank --> B2[1122 Raiffeisen EUR]

    L --> CL[2100 Current Liabilities]
    L --> LL[2500 Long-term]
    CL --> AP[2110 Accounts Payable]
    CL --> VAT[2120 VAT Payable]

    E --> SC[3100 Share Capital]
    E --> RE[3900 Retained Earnings]

    R --> SR[4100 Service Revenue]
    R --> PR[4200 Product Sales]

    EX --> OE[5100 Operating Expenses]
    OE --> SAL[5110 Salaries]
    OE --> RENT[5120 Rent]

    style A fill:#4ade80,color:#000
    style L fill:#f87171,color:#000
    style E fill:#60a5fa,color:#000
    style R fill:#a78bfa,color:#000
    style EX fill:#fb923c,color:#000

3. AccountType

Purpose: Defines account categories for double-entry bookkeeping.

Column Type Constraints Description
id INT PK, AUTOINCREMENT Primary key
name VARCHAR(50) UNIQUE, NOT NULL Asset, Liability, Equity, Revenue, Expense
normalBalance ENUM NOT NULL debit or credit
createdAt TIMESTAMP NOT NULL Record creation

Enums:

enum NormalBalance {
  debit   // Asset, Expense accounts increase with debits
  credit  // Liability, Equity, Revenue accounts increase with credits
}

Seed data:

1 | Asset      | debit
2 | Liability  | credit
3 | Equity     | credit
4 | Revenue    | credit
5 | Expense    | debit

4. Account

Purpose: Chart of Accounts. Hierarchical GL accounts.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
code VARCHAR(10) NOT NULL Account code (e.g., "1000", "4000")
name VARCHAR(255) NOT NULL Account name (e.g., "Cash", "Revenue")
accountTypeId INT FK → AccountType, NOT NULL Account category
currencyCode CHAR(3) NOT NULL, default 'EUR' Account currency
parentAccountId UUID FK → Account, NULL Parent account (for sub-accounts)
isActive BOOLEAN NOT NULL, default true Active status
createdAt TIMESTAMP NOT NULL Record creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Business rules:

Contacts (Customers & Vendors)

5. Contact

Purpose: Customers (invoice recipients) and vendors (expense payees).

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
type ENUM NOT NULL customer, vendor, both
name VARCHAR(255) NOT NULL Contact name
email VARCHAR(255) NULL Email address
phone VARCHAR(50) NULL Phone number
registrationNumber VARCHAR(50) NULL Company registration number
vatNumber VARCHAR(50) NULL VAT number
addressLine1 VARCHAR(255) NULL Street address
addressLine2 VARCHAR(255) NULL Apt/suite
city VARCHAR(100) NULL City
postalCode VARCHAR(20) NULL Postal/ZIP code
country CHAR(2) NULL ISO 3166-1 alpha-2
currencyCode CHAR(3) NOT NULL, default 'EUR' Preferred currency
paymentTerms INT NOT NULL, default 30 Payment terms in days
notes TEXT NULL Free-text notes
isActive BOOLEAN NOT NULL, default true Active status
createdAt TIMESTAMP NOT NULL Record creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Enums:

enum ContactType {
  customer  // Invoice recipient
  vendor    // Expense payee
  both      // Can be both customer and vendor
}

Business rules:

Invoicing

6. Invoice

Purpose: Sales invoices (outgoing). Revenue recognition.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
customerId UUID FK → Contact, NOT NULL Invoice recipient
invoiceNumber VARCHAR(50) NOT NULL Auto-generated (e.g., INV-2026-001)
invoiceDate DATE NOT NULL Invoice issue date
dueDate DATE NOT NULL Payment due date
currencyCode CHAR(3) NOT NULL Invoice currency
exchangeRate DECIMAL(12,6) NOT NULL, default 1.0 Exchange rate at invoiceDate
subtotal DECIMAL(19,4) NOT NULL Sum of line totals (before tax)
taxAmount DECIMAL(19,4) NOT NULL, default 0 Total VAT/tax
discountAmount DECIMAL(19,4) NOT NULL, default 0 Total discount
totalAmount DECIMAL(19,4) NOT NULL subtotal + taxAmount - discountAmount
baseAmount DECIMAL(19,4) NOT NULL Converted to org baseCurrency
status ENUM NOT NULL, default 'draft' Invoice status
sentAt TIMESTAMP NULL When invoice was sent
viewedAt TIMESTAMP NULL When customer viewed (email tracking)
paidAt TIMESTAMP NULL When marked as paid
notes TEXT NULL Internal notes
terms TEXT NULL Payment terms text
pdfUrl VARCHAR(500) NULL Cloudflare R2 URL
createdBy UUID FK → User, NULL Creator user
createdAt TIMESTAMP NOT NULL Record creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Enums:

enum InvoiceStatus {
  draft      // Being edited
  sent       // Sent to customer
  viewed     // Customer viewed email
  paid       // Payment received
  overdue    // Past dueDate and unpaid
  cancelled  // Voided
}

Invoice Status Transitions:

stateDiagram-v2
    [*] --> draft : Created
    draft --> sent : Send email\n(creates GL Transaction)
    sent --> viewed : Tracking pixel loaded
    viewed --> paid : Mark as paid\n(creates GL Transaction)
    sent --> paid : Mark as paid\n(creates GL Transaction)
    draft --> cancelled : Cancel
    sent --> cancelled : Cancel\n(reverses Transaction)
    viewed --> cancelled : Cancel\n(reverses Transaction)
    paid --> [*]
    cancelled --> [*]

    note right of draft
        Can edit line items,\ndates, amounts
    end note
    note right of sent
        Locked — no edits\nPDF generated & stored in R2
    end note
    note right of overdue
        Automated check: dueDate < today\nAND status != paid
    end note

Business rules:

7. InvoiceItem

Purpose: Line items on invoices.

Column Type Constraints Description
id UUID PK Primary key
invoiceId UUID FK → Invoice, CASCADE, NOT NULL Parent invoice
lineNumber INT NOT NULL Line order (1, 2, 3...)
description VARCHAR(500) NOT NULL Item description
quantity DECIMAL(10,2) NOT NULL Quantity sold
unitPrice DECIMAL(19,4) NOT NULL Price per unit
taxRate DECIMAL(5,2) NOT NULL, default 0 VAT rate (20 = 20%)
lineTotal DECIMAL(19,4) NOT NULL quantity * unitPrice
accountId UUID FK → Account, NULL Revenue account
createdAt TIMESTAMP NOT NULL Record creation

Indexes:

Business rules:

Expenses

8. Expense

Purpose: Purchase tracking (incoming). Expense recognition.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
vendorId UUID FK → Contact, NULL Vendor (optional)
expenseNumber VARCHAR(50) NOT NULL Auto-generated (e.g., EXP-2026-001)
expenseDate DATE NOT NULL Expense date
currencyCode CHAR(3) NOT NULL Expense currency
exchangeRate DECIMAL(12,6) NOT NULL, default 1.0 Exchange rate at expenseDate
amount DECIMAL(19,4) NOT NULL Total expense amount
baseAmount DECIMAL(19,4) NOT NULL Converted to org baseCurrency
taxAmount DECIMAL(19,4) NOT NULL, default 0 VAT amount
category VARCHAR(100) NOT NULL Expense category
paymentMethod VARCHAR(50) NULL cash, card, bank_transfer, etc.
accountId UUID FK → Account, NULL Expense account
description TEXT NULL Expense description
receiptUrl VARCHAR(500) NULL Cloudflare R2 URL
status ENUM NOT NULL, default 'pending' Approval status
approvedBy UUID FK → User, NULL Approver user
approvedAt TIMESTAMP NULL Approval timestamp
paidAt TIMESTAMP NULL Payment timestamp
createdBy UUID FK → User, NULL Creator user
createdAt TIMESTAMP NOT NULL Record creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Enums:

enum ExpenseStatus {
  pending   // Awaiting approval
  approved  // Approved, ready to pay
  paid      // Payment made
  rejected  // Approval denied
}

Business rules:

Transactions (Double-Entry Ledger)

9. Transaction

Purpose: General ledger transactions. Every financial event creates a transaction.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
transactionDate DATE NOT NULL Transaction date
description VARCHAR(255) NOT NULL Transaction description
debitAccountId UUID FK → Account, NOT NULL Account to debit
creditAccountId UUID FK → Account, NOT NULL Account to credit
amount DECIMAL(19,4) NOT NULL Transaction amount
currencyCode CHAR(3) NOT NULL Transaction currency
exchangeRate DECIMAL(12,6) NOT NULL, default 1.0 Exchange rate at transactionDate
baseAmount DECIMAL(19,4) NOT NULL Converted to org baseCurrency
referenceType VARCHAR(50) NULL invoice, expense, payment, manual
referenceId UUID NULL Invoice/Expense ID
locked BOOLEAN NOT NULL, default false Immutable if true
lockedAt TIMESTAMP NULL When locked
reconciled BOOLEAN NOT NULL, default false Matched to bank transaction
reconciledAt TIMESTAMP NULL When reconciled
notes TEXT NULL Free-text notes
createdBy UUID FK → User, NULL Creator user
createdAt TIMESTAMP NOT NULL Record creation

Indexes:

Business rules:

Common transaction patterns:

  1. Invoice created (draft → sent):

    • Debit: Accounts Receivable (Asset)
    • Credit: Revenue (Revenue)

  2. Invoice paid:

    • Debit: Bank Account (Asset)
    • Credit: Accounts Receivable (Asset)

  3. Expense approved:

    • Debit: Expense Account (Expense)
    • Credit: Accounts Payable (Liability)

  4. Expense paid:

    • Debit: Accounts Payable (Liability)
    • Credit: Bank Account (Asset)

Banking & Reconciliation

10. BankAccount

Purpose: Bank account metadata.

Column Type Constraints Description
id UUID PK Primary key
organizationId UUID FK → Organization, NOT NULL Organization scope
accountId UUID FK → Account, NOT NULL GL account (must be Asset)
bankName VARCHAR(255) NOT NULL Bank name
accountNumber VARCHAR(50) NULL Account number
iban VARCHAR(50) NULL IBAN
currencyCode CHAR(3) NOT NULL, default 'EUR' Account currency
currentBalance DECIMAL(19,4) NOT NULL, default 0 Current balance
isActive BOOLEAN NOT NULL, default true Active status
createdAt TIMESTAMP NOT NULL Record creation
updatedAt TIMESTAMP NOT NULL Last update

Indexes:

Business rules:

11. BankTransaction

Purpose: Bank statement imports. For reconciliation.

Column Type Constraints Description
id UUID PK Primary key
bankAccountId UUID FK → BankAccount, CASCADE, NOT NULL Parent bank account
transactionDate DATE NOT NULL Transaction date
amount DECIMAL(19,4) NOT NULL Positive = credit, negative = debit
description VARCHAR(500) NULL Bank description
reference VARCHAR(255) NULL Reference number
reconciled BOOLEAN NOT NULL, default false Matched to GL transaction
matchedTransactionId UUID NULL GL transaction ID
createdAt TIMESTAMP NOT NULL Record creation

Indexes:

Business rules:

Multi-Currency

12. Currency

Purpose: Supported currencies.

Column Type Constraints Description
code CHAR(3) PK ISO 4217 currency code
name VARCHAR(100) NOT NULL Currency name
symbol VARCHAR(10) NULL Currency symbol
decimalPlaces SMALLINT NOT NULL, default 2 Decimal precision
isActive BOOLEAN NOT NULL, default true Active status
createdAt TIMESTAMP NOT NULL Record creation

Seed data:

EUR | Euro           | €    | 2
RSD | Serbian Dinar  | din. | 2
BAM | Bosnian Mark   | KM   | 2
HRK | Croatian Kuna  | kn   | 2
USD | US Dollar      | $    | 2

13. ExchangeRate

Purpose: Historical exchange rates.

Column Type Constraints Description
id UUID PK Primary key
baseCurrency CHAR(3) FK → Currency, NOT NULL From currency
targetCurrency CHAR(3) FK → Currency, NOT NULL To currency
rate DECIMAL(12,6) NOT NULL Exchange rate
effectiveDate DATE NOT NULL Rate effective date
source VARCHAR(50) NULL ECB, fixer.io, manual
lastUpdated TIMESTAMP NOT NULL Last update timestamp

Indexes:

Business rules:

Audit Trail

14. LoggedAction

Purpose: Immutable audit log. Captures all INSERT/UPDATE/DELETE.

Column Type Constraints Description
eventId BIGINT PK, AUTOINCREMENT Event ID
schemaName TEXT NOT NULL Database schema (default: public)
tableName TEXT NOT NULL Table name
userId UUID FK → User, NULL User who performed action
actionTimestamp TIMESTAMP NOT NULL, default now() When action occurred
action ENUM NOT NULL INSERT, UPDATE, DELETE
rowData JSONB NULL Full row data before change
changedFields JSONB NULL Changed fields (UPDATE only)
queryText TEXT NULL SQL query (if available)
clientIp INET NULL Client IP address
applicationName TEXT NOT NULL, default 'fiken-clone-api' Application identifier

Indexes:

Enums:

enum AuditAction {
  INSERT
  UPDATE
  DELETE
}

Business rules:

Schema Version

15. SchemaVersion

Purpose: Migration tracking.

Column Type Constraints Description
version VARCHAR(20) PK Version string (e.g., "1.0.0")
appliedAt TIMESTAMP NOT NULL, default now() Migration timestamp
description TEXT NULL Migration description

Business rules:

Data Types & Precision

NUMERIC(19,4) for ALL Money

CRITICAL: NEVER use float, double, or JavaScript number for currency.

Why:

Usage in code:

import { Decimal } from '@prisma/client/runtime'

const amount = new Decimal('125000.0000')
const taxRate = new Decimal('0.20')
const taxAmount = amount.times(taxRate)  // 25000.0000

Constraints Summary

Primary Keys

All tables use UUID primary keys (except AccountType uses INT auto-increment).

Foreign Keys

All foreign keys have onDelete: Cascade (deleting organization deletes all data).

Unique Constraints

Check Constraints

(Enforced in API layer, not database):

Indexes Strategy

Query Patterns Optimized

  1. List by organization + filter:

    • (organizationId, status, date) composite index on invoices
    • (organizationId, category, date) composite index on expenses

  2. Foreign key lookups:

    • All foreign keys have indexes

  3. Date range queries:

    • Dedicated indexes on transactionDate, invoiceDate, expenseDate, dueDate

  4. Reconciliation:

    • Index on (referenceType, referenceId) for transaction lookups

Migration Commands

# Generate Prisma Client
npx prisma generate

# Create migration
npx prisma migrate dev --name migration_name

# Apply migrations (production)
npx prisma migrate deploy

# Reset database (dev only)
npx prisma migrate reset

# Seed initial data
npx prisma db seed

Seed Data

AccountType

INSERT INTO account_types (id, name, normal_balance) VALUES
(1, 'Asset', 'debit'),
(2, 'Liability', 'credit'),
(3, 'Equity', 'credit'),
(4, 'Revenue', 'credit'),
(5, 'Expense', 'debit');

Currency

INSERT INTO currencies (code, name, symbol, decimal_places) VALUES
('EUR', 'Euro', '€', 2),
('RSD', 'Serbian Dinar', 'din.', 2),
('BAM', 'Bosnian Mark', 'KM', 2),
('HRK', 'Croatian Kuna', 'kn', 2),
('USD', 'US Dollar', '$', 2);

End of Database Schema

Backend

Authentication & Authorization

Bilko Authentication & Authorization

Status: SPECIFICATION (backend not implemented) Last updated: 2026-02-20

Purpose

This document specifies the authentication and authorization system for Bilko's backend. Covers JWT tokens, password hashing, 2FA, role-based access control (RBAC), and session management.

Authentication Flow

System Overview

graph LR
    CLIENT[Frontend\nbilko.io]

    subgraph AUTH [Auth Layer]
        LOGIN[POST /auth/login]
        REGISTER[POST /auth/register]
        REFRESH[POST /auth/refresh]
        LOGOUT[POST /auth/logout]
    end

    subgraph TOKENS [Token Storage]
        AT[Access Token\nBearer header\n15 min TTL]
        RT[Refresh Token\nhttpOnly Cookie\n7-30 days TTL]
        BL[Blacklist\nRevoked JTIs]
    end

    subgraph GUARDS [Middleware Guards]
        AG[authGuard\nVerify JWT]
        RG[roleGuard\nCheck role]
        RL[rateLimiter\n5 req/min auth]
    end

    CLIENT --> LOGIN
    CLIENT --> REGISTER
    CLIENT --> REFRESH
    CLIENT --> LOGOUT

    LOGIN --> AT
    LOGIN --> RT
    REGISTER --> AT
    REGISTER --> RT
    REFRESH --> AT
    LOGOUT --> BL

    AT --> AG
    AG --> RG
    RG --> HANDLER[Route Handler]

    style AT fill:#00E5A0,color:#000
    style RT fill:#ffd700,color:#000
    style BL fill:#f87171,color:#fff

1. Registration

Endpoint: POST /api/v1/auth/register

sequenceDiagram
    participant C as Client
    participant API as Express API
    participant DB as PostgreSQL
    participant JWT as JWT Service

    C->>API: POST /auth/register\n{email, password, orgName, country}
    API->>API: Validate Zod schema\nCheck password strength
    API->>DB: Check email uniqueness
    DB-->>API: Email available
    API->>API: bcrypt.hash(password, 12)
    API->>DB: BEGIN TRANSACTION\nCreate Organization\nCreate User (role=owner)\nCreate default Chart of Accounts
    DB-->>API: Organization + User created
    API->>JWT: Generate access token (15min)\nGenerate refresh token (7days)
    JWT-->>API: { accessToken, refreshToken }
    API->>C: 201 Created\n{ user, organization, tokens }\nSet-Cookie: refreshToken (httpOnly)

Steps:

  1. Validate request body (email uniqueness, password strength, country/currency codes)
  2. Hash password with bcrypt (12 rounds)
  3. Create database transaction:
    • Create Organization
    • Create User (role = 'owner')
    • Create default Chart of Accounts (seed accounts based on country)
  4. Generate JWT access token (15 min expiry)
  5. Generate refresh token (7 days expiry)
  6. Set refresh token in httpOnly cookie
  7. Return user + organization + tokens

Password Requirements:

Password Hashing:

import bcrypt from 'bcrypt'

const SALT_ROUNDS = 12

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS)
}

async function verifyPassword(password: string, hash: string): Promise<boolean> {
  return bcrypt.compare(password, hash)
}

Errors:

2. Login

Endpoint: POST /api/v1/auth/login

sequenceDiagram
    participant C as Client
    participant RL as Rate Limiter\n5 req/min/IP
    participant API as Express API
    participant DB as PostgreSQL
    participant JWT as JWT Service

    C->>RL: POST /auth/login\n{email, password}
    RL-->>C: 429 Too Many Requests (if exceeded)
    RL->>API: Pass through
    API->>DB: Find user by email
    DB-->>API: User record
    API->>API: bcrypt.compare(password, hash)

    alt Invalid credentials
        API-->>C: 401 Unauthorized
    else 2FA required
        API-->>C: 403 { requiresTwoFactor: true }
        C->>API: POST /auth/verify-2fa { code }
        API->>API: speakeasy.totp.verify()
    end

    API->>DB: UPDATE users SET lastLoginAt = now()
    API->>JWT: Generate access token (15min)\nGenerate refresh token\n(7d or 30d if rememberMe)
    JWT-->>API: Tokens
    API->>C: 200 OK { user, tokens }\nSet-Cookie: refreshToken (httpOnly, Secure, SameSite=Strict)

Steps:

  1. Find user by email
  2. Verify password with bcrypt.compare()
  3. If 2FA enabled, send TOTP challenge (not covered in MVP)
  4. Update user.lastLoginAt
  5. Generate JWT access token (15 min expiry)
  6. Generate refresh token (7 days or 30 days if rememberMe = true)
  7. Set refresh token in httpOnly cookie
  8. Return user + tokens

Rate Limiting:

Errors:

3. Token Refresh

Endpoint: POST /api/v1/auth/refresh

sequenceDiagram
    participant C as Client
    participant API as Express API
    participant BL as Blacklist\n(Redis/PostgreSQL)
    participant JWT as JWT Service

    C->>API: POST /auth/refresh\n[Cookie: refreshToken]
    API->>API: Extract JWT from httpOnly cookie
    API->>JWT: Verify signature & expiry
    JWT-->>API: RefreshTokenPayload { sub, jti, exp }
    API->>BL: Check if jti is blacklisted
    BL-->>API: Not blacklisted
    API->>JWT: Generate new access token (15min)
    JWT-->>API: New accessToken
    API->>C: 200 OK { accessToken }

    note over C,API: Access token expires every 15min\nClient must silently refresh via cookie

Steps:

  1. Extract refresh token from httpOnly cookie
  2. Verify refresh token signature
  3. Check if token is blacklisted (revoked)
  4. Check expiry
  5. Generate new access token (15 min expiry)
  6. Return new access token

Refresh Token Storage:

Token Revocation:

Errors:

4. Logout

Endpoint: POST /api/v1/auth/logout

Steps:

  1. Extract refresh token from cookie
  2. Add token JTI to blacklist
  3. Clear httpOnly cookie
  4. Return 204 No Content

JWT Tokens

Access Token

Purpose: Short-lived token for API authentication.

Claims:

interface AccessTokenPayload {
  sub: string           // User ID (UUID)
  email: string         // User email
  role: UserRole        // owner, admin, accountant, viewer
  orgId: string         // Organization ID (UUID)
  iat: number           // Issued at (Unix timestamp)
  exp: number           // Expires at (Unix timestamp, iat + 15 min)
}

Expiry: 15 minutes

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Usage:

Refresh Token

Purpose: Long-lived token for obtaining new access tokens.

Claims:

interface RefreshTokenPayload {
  sub: string           // User ID (UUID)
  jti: string           // JWT ID (for revocation)
  iat: number           // Issued at (Unix timestamp)
  exp: number           // Expires at (Unix timestamp, iat + 7 days or 30 days)
}

Expiry: 7 days (default) or 30 days (if rememberMe = true)

Storage:

Revocation:

JWT Secret Management

CRITICAL: JWT secret MUST be stored securely.

Environment Variables:

# .env
JWT_SECRET=<256-bit random string, minimum 32 chars>
JWT_REFRESH_SECRET=<different 256-bit random string>

Generation:

# Generate secure random secret
openssl rand -base64 32

Best Practices:

Two-Factor Authentication (2FA)

Status: OPTIONAL in MVP, implement in v2

sequenceDiagram
    participant U as User
    participant APP as Frontend
    participant API as Backend
    participant DB as PostgreSQL

    Note over U,DB: 2FA Setup Flow
    U->>APP: Enable 2FA in settings
    APP->>API: POST /settings/2fa/enable
    API->>API: Generate 32-char base32 TOTP secret
    API->>APP: { secret, qrCodeUrl }
    APP->>U: Display QR code
    U->>U: Scan with Google Authenticator / Authy
    U->>APP: Enter 6-digit code to verify
    APP->>API: POST /settings/2fa/verify { code }
    API->>API: speakeasy.totp.verify(secret, code)
    API->>DB: UPDATE users SET twoFactorEnabled=true\ntwoFactorSecret=encrypted
    API->>APP: 2FA activated

    Note over U,DB: Login with 2FA
    U->>APP: Enter email + password
    APP->>API: POST /auth/login
    API->>DB: Find user, verify password
    API->>APP: 403 { requiresTwoFactor: true }
    APP->>U: Prompt for 6-digit code
    U->>APP: Enter TOTP code
    APP->>API: POST /auth/verify-2fa { code }
    API->>API: Verify TOTP (30-second window ±1 step)
    API->>APP: 200 OK { user, tokens }

Flow:

  1. User enables 2FA in settings
  2. Generate TOTP secret (32-char base32 string)
  3. Display QR code (Google Authenticator, Authy compatible)
  4. User scans QR code
  5. User enters 6-digit code to verify
  6. Store twoFactorSecret (encrypted) in users table
  7. Set twoFactorEnabled = true

Login with 2FA:

  1. User enters email + password
  2. If twoFactorEnabled = true, return 403 with requiresTwoFactor: true
  3. Frontend prompts for 6-digit code
  4. User submits code via POST /api/v1/auth/verify-2fa
  5. Verify TOTP code (30-second window)
  6. If valid, issue tokens

TOTP Verification:

import speakeasy from 'speakeasy'

function verifyTOTP(secret: string, token: string): boolean {
  return speakeasy.totp.verify({
    secret,
    encoding: 'base32',
    token,
    window: 1  // Allow 1 time step before/after (30s window)
  })
}

Role-Based Access Control (RBAC)

RBAC Model

graph TD
    subgraph ROLES [User Roles — Hierarchy]
        OW[owner\nFull control]
        AD[admin\nManage users + all financials]
        AC[accountant\nCreate financials only]
        VW[viewer\nRead-only]
    end

    subgraph ACTIONS [Protected Actions]
        direction LR
        INV_C[Create Invoice]
        INV_S[Send Invoice]
        INV_P[Mark Invoice Paid]
        EXP_C[Create Expense]
        EXP_AP[Approve Expense]
        TXN[Create Transaction]
        USR_I[Invite User]
        USR_R[Change User Role]
        USR_D[Delete User]
        ORG_S[Org Settings]
        ORG_D[Delete Organization]
        RPT[View Reports]
    end

    OW --> INV_C & INV_S & INV_P
    OW --> EXP_C & EXP_AP
    OW --> TXN
    OW --> USR_I & USR_R & USR_D
    OW --> ORG_S & ORG_D
    OW --> RPT

    AD --> INV_C & INV_S & INV_P
    AD --> EXP_C & EXP_AP
    AD --> TXN
    AD --> USR_I
    AD --> ORG_S
    AD --> RPT

    AC --> INV_C & INV_S & INV_P
    AC --> EXP_C
    AC --> TXN
    AC --> RPT

    VW --> RPT

    style OW fill:#00E5A0,color:#000
    style AD fill:#60a5fa,color:#000
    style AC fill:#fbbf24,color:#000
    style VW fill:#94a3b8,color:#000

Roles

Role Permissions
owner Full access: manage users, delete organization, change settings, all financial operations
admin Manage users (except owner), change settings, all financial operations
accountant Create/edit invoices, expenses, transactions. View reports. Cannot manage users or settings.
viewer Read-only access to all financial data. Cannot create or edit.

Permission Matrix

Action owner admin accountant viewer
Create invoice
Edit invoice (draft)
Send invoice
Mark invoice paid
Create expense
Approve expense
Create manual transaction
View reports
Invite user
Change user role
Delete user
Update org settings
Delete organization

Middleware Implementation

Role Guard:

import { Request, Response, NextFunction } from 'express'

type UserRole = 'owner' | 'admin' | 'accountant' | 'viewer'

function roleGuard(allowedRoles: UserRole[]) {
  return (req: Request, res: Response, next: NextFunction) => {
    const user = req.user  // Attached by authGuard middleware

    if (!user) {
      return res.status(401).json({ error: 'Unauthorized', code: 'NO_AUTH' })
    }

    if (!allowedRoles.includes(user.role)) {
      return res.status(403).json({
        error: 'Forbidden',
        code: 'INSUFFICIENT_PERMISSIONS',
        details: { required: allowedRoles, current: user.role }
      })
    }

    next()
  }
}

// Usage in routes
app.post('/api/v1/invoices',
  authGuard,
  roleGuard(['owner', 'admin', 'accountant']),
  createInvoice
)

Session Management

Session Storage

Option 1: JWT-only (stateless, recommended for MVP):

Option 2: Redis sessions (for v2):

Session Invalidation

On password change:

  1. Hash new password
  2. Update users.passwordHash
  3. Delete all refresh tokens from blacklist older than 1 hour (force re-login)
  4. Return success

On account deletion:

  1. Soft-delete user (set isActive = false)
  2. Add all user's refresh tokens to blacklist
  3. Revoke access immediately

Security Best Practices

1. Password Storage

2. Token Security

3. Rate Limiting

4. HTTPS Only

5. CORS Configuration

const corsOptions = {
  origin: ['https://bilko.io', 'http://localhost:3000'],
  credentials: true,  // Allow cookies
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization']
}

app.use(cors(corsOptions))

6. Input Validation

Example Implementation

Auth Middleware

import jwt from 'jsonwebtoken'
import { Request, Response, NextFunction } from 'express'

interface AuthRequest extends Request {
  user?: {
    id: string
    email: string
    role: UserRole
    organizationId: string
  }
}

async function authGuard(req: AuthRequest, res: Response, next: NextFunction) {
  const authHeader = req.headers.authorization

  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'Unauthorized', code: 'NO_TOKEN' })
  }

  const token = authHeader.substring(7)  // Remove 'Bearer '

  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET!) as AccessTokenPayload

    // Attach user to request
    req.user = {
      id: payload.sub,
      email: payload.email,
      role: payload.role,
      organizationId: payload.orgId
    }

    next()
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      return res.status(401).json({ error: 'Token expired', code: 'TOKEN_EXPIRED' })
    }

    return res.status(401).json({ error: 'Invalid token', code: 'INVALID_TOKEN' })
  }
}

export { authGuard, roleGuard }

Environment Variables

# JWT
JWT_SECRET=<256-bit secret for access tokens>
JWT_REFRESH_SECRET=<256-bit secret for refresh tokens>
JWT_ACCESS_EXPIRY=15m
JWT_REFRESH_EXPIRY=7d

# Rate Limiting
RATE_LIMIT_AUTH=5           # Max login attempts per minute
RATE_LIMIT_GENERAL=100      # Max requests per minute

# Session
SESSION_COOKIE_SECURE=true  # HTTPS only (production)
SESSION_COOKIE_SAMESITE=strict

End of Authentication Documentation

Backend

Business Logic

Bilko Business Logic

Status: SPECIFICATION (backend not implemented) Last updated: 2026-02-20

Purpose

This document defines the accounting domain rules that Bilko's backend MUST enforce. These are non-negotiable business requirements for financial accuracy and compliance.

Table of Contents

  1. Double-Entry Bookkeeping
  2. Invoice Workflow
  3. Expense Workflow
  4. VAT Calculation
  5. Multi-Currency
  6. Bank Reconciliation
  7. Chart of Accounts
  8. Fiscal Year
  9. Audit Trail

1. Double-Entry Bookkeeping

Core Principle

EVERY financial event creates a Transaction with exactly one debit and one credit.

The fundamental equation:

DEBITS = CREDITS

Double-Entry Flow

flowchart TD
    EVENT[Financial Event\ne.g. Invoice sent, Expense approved, Payment received]
    EVENT --> TXN[Create Transaction\ndebitAccountId + creditAccountId + amount]

    TXN --> CHK{Validate:\ndebit ≠ credit\namount > 0}
    CHK -->|FAIL| ERR[422 Validation Error]
    CHK -->|PASS| DEBIT[Debit Account\nIncrease if Asset/Expense\nDecrease if Liability/Equity/Revenue]
    DEBIT --> CREDIT[Credit Account\nIncrease if Liability/Equity/Revenue\nDecrease if Asset/Expense]
    CREDIT --> BAL{Trial Balance\nSum Debits = Sum Credits?}
    BAL -->|Balanced| LOCK[Lock Transaction\nappend to GL]
    BAL -->|Unbalanced| ALERT[System Alert\nCritical Error]

    style EVENT fill:#00E5A0,color:#000
    style ERR fill:#f87171,color:#fff
    style ALERT fill:#f87171,color:#fff
    style LOCK fill:#60a5fa,color:#000

Common Transaction Patterns

flowchart LR
    subgraph INV_SENT [Invoice Sent]
        IS_D[Debit: 1200 Accounts Receivable\nAsset ↑]
        IS_C[Credit: 4000 Revenue\nRevenue ↑]
        IS_D -. "amount" .- IS_C
    end

    subgraph INV_PAID [Invoice Paid]
        IP_D[Debit: 1000 Bank Account\nAsset ↑]
        IP_C[Credit: 1200 Accounts Receivable\nAsset ↓]
        IP_D -. "amount" .- IP_C
    end

    subgraph EXP_APR [Expense Approved]
        EA_D[Debit: 5100 Expense Account\nExpense ↑]
        EA_C[Credit: 2000 Accounts Payable\nLiability ↑]
        EA_D -. "amount" .- EA_C
    end

    subgraph EXP_PAID [Expense Paid]
        EP_D[Debit: 2000 Accounts Payable\nLiability ↓]
        EP_C[Credit: 1000 Bank Account\nAsset ↓]
        EP_D -. "amount" .- EP_C
    end

    style IS_D fill:#4ade80,color:#000
    style IP_D fill:#4ade80,color:#000
    style EA_D fill:#fb923c,color:#000
    style EP_D fill:#4ade80,color:#000

Account types and normal balances:

Account Type Normal Balance Increases with Decreases with
Asset Debit Debit Credit
Liability Credit Credit Debit
Equity Credit Credit Debit
Revenue Credit Credit Debit
Expense Debit Debit Credit

Transaction Rules

  1. Debit Account ≠ Credit Account

    • A transaction cannot debit and credit the same account
    • Enforced at API validation layer

  2. Amount > 0

    • Transaction amount must be positive
    • Sign is determined by debit/credit, not amount

  3. Balanced Entries

    • Debit amount = Credit amount
    • No split transactions in MVP (one debit, one credit only)

  4. Locked Transactions

    • Once transaction.locked = true, cannot be edited or deleted
    • Locked at end-of-period close or when reconciled

Common Transaction Patterns

1. Invoice Created (draft → sent)

Debit:  1200 - Accounts Receivable (Asset)    +125,000 RSD
Credit: 4000 - Revenue (Revenue)              +125,000 RSD

Effect: Increases asset (money owed to us), increases revenue.

2. Invoice Paid

Debit:  1000 - Bank Account (Asset)           +125,000 RSD
Credit: 1200 - Accounts Receivable (Asset)    -125,000 RSD

Effect: Increases cash, decreases receivables (converted to cash).

3. Expense Approved

Debit:  5100 - Infrastructure Expense (Expense)  +850 EUR
Credit: 2000 - Accounts Payable (Liability)      +850 EUR

Effect: Increases expense, increases liability (we owe money).

4. Expense Paid

Debit:  2000 - Accounts Payable (Liability)   -850 EUR
Credit: 1000 - Bank Account (Asset)           -850 EUR

Effect: Decreases liability, decreases cash.

Balance Calculation

Account balance = Sum(debits) - Sum(credits) for debit-normal accounts (Asset, Expense)

Account balance = Sum(credits) - Sum(debits) for credit-normal accounts (Liability, Equity, Revenue)

Trial Balance:

2. Invoice Workflow

Status Transitions

draft → sent → viewed → paid
  ↓       ↓       ↓
  └─────→ cancelled

stateDiagram-v2
    [*] --> draft : POST /invoices\n(auto-number: INV-YYYY-NNN)

    draft --> sent : PATCH /invoices/:id/status\naction=send\n[generates PDF → R2]\n[sends email via SendGrid]\n[creates Transaction:\nDR Receivable / CR Revenue]

    sent --> viewed : Email tracking pixel loaded\n[updates invoice.viewedAt]

    viewed --> paid : PATCH status action=mark-paid\n[creates Transaction:\nDR Bank / CR Receivable]

    sent --> paid : PATCH status action=mark-paid\n[creates Transaction:\nDR Bank / CR Receivable]

    draft --> cancelled : PATCH status action=cancel
    sent --> cancelled : PATCH status action=cancel\n[reverses Transaction]
    viewed --> cancelled : PATCH status action=cancel\n[reverses Transaction]

    paid --> [*]
    cancelled --> [*]

    note right of draft
        Editable: items, dates, amounts
        Invoice number locked on first save
    end note

    note right of sent
        LOCKED — cannot edit amounts
        PDF stored in Cloudflare R2
        exchangeRate locked at invoiceDate
    end note

    note right of paid
        2 GL Transactions created total:
        1. draft→sent: DR Receivable / CR Revenue
        2. paid: DR Bank / CR Receivable
    end note

Invoice Calculation Flow

flowchart TD
    ITEMS[Invoice Items\nquantity × unitPrice = lineTotal]
    ITEMS --> SUB[subtotal = SUM all lineTotals]
    SUB --> TAX[taxAmount = SUM lineTotal × taxRate/100]
    TAX --> DISC[Apply discountAmount]
    DISC --> TOTAL[totalAmount = subtotal + taxAmount - discountAmount]
    TOTAL --> BASE[baseAmount = totalAmount × exchangeRate\nexchangeRate locked at invoiceDate]
    BASE --> LOCK[Store — NEVER recalculate\nfrom future exchange rates]

    style LOCK fill:#f87171,color:#fff
    style BASE fill:#ffd700,color:#000

Status rules:

From To Action Transaction Created?
draft sent Send email Yes (Debit Receivable, Credit Revenue)
sent viewed Email opened No
viewed paid Mark paid Yes (Debit Bank, Credit Receivable)
sent paid Mark paid Yes (Debit Bank, Credit Receivable)
any cancelled Cancel Reverses original transaction

Business Rules

Rule 1: Invoice Number Auto-Generation

Rule 2: Draft-Only Editing

Rule 3: Overdue Detection

Rule 4: Subtotal Calculation

subtotal = SUM(lineTotal) for all invoice items
lineTotal = quantity * unitPrice

Rule 5: Tax Calculation

taxAmount = SUM(lineTotal * (taxRate / 100)) for all items

Rule 6: Total Calculation

totalAmount = subtotal + taxAmount - discountAmount

Rule 7: Base Amount Conversion

baseAmount = totalAmount * exchangeRate

Rule 8: PDF Generation

Rule 9: Email Delivery

3. Expense Workflow

Status Transitions

pending → approved → paid
   ↓
rejected

stateDiagram-v2
    [*] --> pending : POST /expenses\n(auto-number: EXP-YYYY-NNN)\ncreatedBy: accountant/admin/owner

    pending --> approved : PATCH /expenses/:id/approve\nRoles: owner, admin ONLY\n[creates Transaction:\nDR Expense / CR Accounts Payable]

    pending --> rejected : PATCH /expenses/:id/reject\nRoles: owner, admin ONLY\n[no Transaction created]

    approved --> paid : PATCH /expenses/:id/pay\n[creates Transaction:\nDR Accounts Payable / CR Bank]

    paid --> [*]
    rejected --> [*]

    note right of pending
        Can be edited before approval
        Receipt upload optional (max 10MB)
        PDF/PNG/JPG formats
    end note

    note right of approved
        Cannot edit after approval
        Stored in Cloudflare R2 receipts/
        exchangeRate locked at expenseDate
    end note

Status rules:

From To Action Transaction Created?
pending approved Approve Yes (Debit Expense, Credit Payable)
pending rejected Reject No
approved paid Mark paid Yes (Debit Payable, Credit Bank)

Business Rules

Rule 1: Expense Number Auto-Generation

Rule 2: Approval Required

Rule 3: Receipt Upload

Rule 4: Category Tracking

Rule 5: Tax Amount

Rule 6: Base Amount Conversion

baseAmount = amount * exchangeRate

4. VAT Calculation

VAT Calculation Flow

flowchart TD
    subgraph OUTPUT [Output VAT — Sales]
        INV[Invoice sent to customer]
        INV --> OLINE[For each line item:\nlineTotal = qty × unitPrice\nlineTaxAmount = lineTotal × taxRate/100]
        OLINE --> OTOT[Invoice taxAmount = SUM all lineTaxAmounts]
        OTOT --> OREC[Recorded as Output VAT\nin VAT Report]
    end

    subgraph INPUT [Input VAT — Purchases]
        EXP[Expense from vendor]
        EXP --> ETAX[expense.taxAmount field\nUser-entered or calculated]
        ETAX --> IREC[Recorded as Input VAT\nin VAT Report]
    end

    subgraph NET [Net VAT Calculation]
        OREC --> CALC[netVAT = outputVAT - inputVAT]
        IREC --> CALC
        CALC --> POS{netVAT > 0?}
        POS -->|Yes| OWE[Owe to tax authority\nFile PDV/VAT return]
        POS -->|No| REF[Tax authority owes refund\nRare for SMBs]
    end

    style OWE fill:#f87171,color:#fff
    style REF fill:#4ade80,color:#000

VAT Rates by Country

Country Standard VAT Reduced VAT Zero VAT
Serbia (RS) 20% 10% 0%
BiH (BA) 17% - 0%
Croatia (HR) 25% 13% 0%

Business Rules

Rule 1: Tax Rate Application

Rule 2: Tax Amount Calculation

For each invoice item:
  lineTotal = quantity * unitPrice
  lineTaxAmount = lineTotal * (taxRate / 100)

For invoice:
  subtotal = SUM(lineTotal)
  taxAmount = SUM(lineTaxAmount)
  totalAmount = subtotal + taxAmount - discountAmount

Rule 3: Output VAT (Sales)

Rule 4: Input VAT (Purchases)

Rule 5: Net VAT Calculation

netVAT = outputVAT - inputVAT

VAT Report Structure

interface VATReport {
  period: { from: string, to: string }

  outputVAT: {
    total: Decimal                    // Total VAT collected
    invoices: Array<{
      invoiceNumber: string
      customerName: string
      invoiceDate: string
      baseAmount: Decimal             // Subtotal
      vatAmount: Decimal              // Tax amount
      vatRate: Decimal                // Tax rate %
    }>
  }

  inputVAT: {
    total: Decimal                    // Total VAT paid
    expenses: Array<{
      expenseNumber: string
      vendorName: string
      expenseDate: string
      baseAmount: Decimal
      vatAmount: Decimal
      vatRate: Decimal
    }>
  }

  netVAT: Decimal                     // outputVAT - inputVAT

  reconciliationStatus: {
    allInvoicesPaid: boolean          // All invoices in period are paid
    allExpensesApproved: boolean      // All expenses in period are approved
    unmatchedTransactions: number     // Unreconciled bank transactions
  }
}

5. Multi-Currency

Supported Currencies

MVP:

Exchange Rate Locking

CRITICAL RULE: Exchange rates are locked at transaction date.

Why:

How it works:

  1. Invoice created on 2026-02-20:

    • currencyCode = 'RSD'
    • exchangeRate = 117.50 (EUR to RSD rate on 2026-02-20)
    • totalAmount = 125,000 RSD
    • baseAmount = 125,000 / 117.50 = 1,063.83 EUR (locked)

  2. Today (2026-03-15), rate is now 120.00:

    • Invoice baseAmount stays 1,063.83 EUR
    • NEVER recalculated to 125,000 / 120.00 = 1,041.67 EUR

Exchange Rate Sources

Primary: European Central Bank (ECB) API

Fallback: fixer.io API

Manual Entry:

Base Currency Conversion

All reports displayed in organization's baseCurrency.

Example:

Total Revenue: 1,063.83 + 3,500 = 4,563.83 EUR

6. Bank Reconciliation

Purpose

Match bank transactions (from statements) to general ledger transactions (from invoices/expenses).

flowchart TD
    CSV[Bank Statement CSV\nDate, Description, Amount, Reference]
    CSV --> PARSE[Parse & validate CSV\nCreate BankTransaction records]
    PARSE --> LINK[Link to BankAccount]

    LINK --> MATCH[Auto-Match Algorithm\nScore 0-100]

    subgraph SCORE [Match Score Calculation]
        S1[+50 pts: Exact amount match]
        S2[+30 pts: Same date\n+20 pts: ±1 day\n+10 pts: ±3 days]
        S3[+20 pts: Reference contains\ninvoice/expense number]
    end

    MATCH --> SCORE
    SCORE --> THRESH{Score?}

    THRESH -->|≥ 90| AUTO[Auto-match\nreconciled = true]
    THRESH -->|70-89| SUGGEST[Suggest to user\nUser confirms]
    THRESH -->|< 70| MANUAL[Manual review\nUser links manually]

    SUGGEST --> CONFIRM{User\nconfirms?}
    CONFIRM -->|Yes| RECONCILE[Set reconciled = true\nmatchedTransactionId = glTxId]
    CONFIRM -->|No| MANUAL

    MANUAL --> RECONCILE

    AUTO --> RECONCILE
    RECONCILE --> REPORT[Reconciliation Report\nbalanceDiscrepancy should = 0]

    style AUTO fill:#4ade80,color:#000
    style MANUAL fill:#fb923c,color:#000
    style REPORT fill:#60a5fa,color:#000

Process

  1. Import bank statement (CSV):

    • Parse CSV file
    • Create BankTransaction records
    • Link to BankAccount

  2. Auto-match transactions:

    • Match by amount + date (within ±3 days)
    • Match by reference (invoice number in description)
    • Calculate confidence score (0-100)

  3. Manual reconciliation:

    • User links BankTransaction to Transaction
    • Set bankTransaction.reconciled = true
    • Set bankTransaction.matchedTransactionId = transaction.id

  4. Unmatched transactions:

    • Flag in reconciliation report
    • User must create manual journal entry or mark as miscellaneous

Matching Algorithm

Score calculation:

function calculateMatchScore(
  bankTx: BankTransaction,
  glTx: Transaction
): number {
  let score = 0

  // Exact amount match
  if (Math.abs(bankTx.amount) === glTx.amount) {
    score += 50
  }

  // Date within ±3 days
  const daysDiff = Math.abs(
    daysBetween(bankTx.transactionDate, glTx.transactionDate)
  )
  if (daysDiff === 0) score += 30
  else if (daysDiff <= 1) score += 20
  else if (daysDiff <= 3) score += 10

  // Reference contains invoice/expense number
  if (glTx.referenceType === 'invoice' && bankTx.description?.includes(glTx.referenceId)) {
    score += 20
  }

  return score
}

Auto-match threshold:

Reconciliation Report

interface ReconciliationReport {
  bankAccount: {
    id: string
    name: string
    currentBalance: Decimal
  }

  period: { from: string, to: string }

  bankTransactions: {
    total: number
    reconciled: number
    unreconciled: number
    totalAmount: Decimal
  }

  glTransactions: {
    total: number
    reconciled: number
    unreconciled: number
    totalAmount: Decimal
  }

  unmatchedBankTransactions: Array<BankTransaction>
  unmatchedGLTransactions: Array<Transaction>

  balanceDiscrepancy: Decimal       // Should be 0 when fully reconciled
}

7. Chart of Accounts

Structure

Hierarchical account codes:

Example Serbian Chart of Accounts:

1000  Assets
  1100  Current Assets
    1110  Cash
    1120  Bank Accounts
      1121  Intesa RSD Account
      1122  Raiffeisen EUR Account
    1200  Accounts Receivable
  1500  Fixed Assets
    1510  Equipment
    1520  Vehicles

2000  Liabilities
  2100  Current Liabilities
    2110  Accounts Payable
    2120  VAT Payable
  2500  Long-term Liabilities
    2510  Loans Payable

3000  Equity
  3100  Share Capital
  3900  Retained Earnings

4000  Revenue
  4100  Service Revenue
  4200  Product Sales

5000  Expenses
  5100  Operating Expenses
    5110  Salaries
    5120  Rent
    5130  Utilities
  5200  Cost of Goods Sold

Business Rules

Rule 1: Account Hierarchy

Rule 2: Account Deactivation

Rule 3: Reserved Accounts

8. Fiscal Year

Definition

Fiscal year: 12-month period for financial reporting.

Default: January 1 - December 31

Configurable: Organization can set custom fiscal year start (e.g., April 1 for UK-style fiscal year)

Business Rules

Rule 1: Year-End Close

Rule 2: Period-Based Reports

9. Audit Trail

Purpose

Immutable log of all data changes for:

What is Logged

ALL INSERT/UPDATE/DELETE operations on:

Captured data:

Implementation

Via Prisma Middleware:

prisma.$use(async (params, next) => {
  const result = await next(params)

  if (['create', 'update', 'delete'].includes(params.action)) {
    await prisma.loggedAction.create({
      data: {
        tableName: params.model,
        userId: getCurrentUserId(),
        action: params.action.toUpperCase(),
        rowData: params.action === 'delete' ? params.args.where : null,
        changedFields: params.action === 'update' ? params.args.data : null,
        clientIp: getClientIp(),
        applicationName: 'bilko-api'
      }
    })
  }

  return result
})

Retention Policy

Summary of Critical Business Rules

  1. Double-entry: Every transaction has one debit and one credit
  2. Debits = Credits: Ledger must always balance
  3. Exchange rate locking: Rates locked at transaction date, NEVER recalculated
  4. Invoice workflow: draft → sent → paid (creates 2 transactions)
  5. Expense workflow: pending → approved → paid (creates 2 transactions)
  6. VAT calculation: taxAmount = lineTotal * (taxRate / 100)
  7. Account hierarchy: Parent-child relationships in Chart of Accounts
  8. Audit trail: ALL changes logged immutably
  9. Fiscal year close: Lock transactions, transfer P&L to Retained Earnings
  10. Reconciliation: Match bank transactions to GL transactions

End of Business Logic Documentation

Backend

Middleware Stack

Bilko Middleware Stack

Status: SPECIFICATION (backend not implemented) Last updated: 2026-02-20

Purpose

This document specifies the Express middleware stack for Bilko's backend. Middleware order is CRITICAL — security, authentication, validation, and error handling must execute in the correct sequence.

Middleware Execution Order

The order matters. Middleware executes top-to-bottom:

Full Middleware Pipeline

flowchart TD
    REQ[Incoming HTTP Request]

    REQ --> H[1. Helmet\nSecurity Headers\nHSTS, CSP, X-Frame-Options,\nX-Content-Type-Options]

    H --> CORS[2. CORS\nAllow: bilko.io, localhost:3000\ncredentials: true\nmaxAge: 86400]

    CORS --> BP[3. Body Parser\nexpress.json limit=10mb\nexpress.urlencoded]

    BP --> RL{4. Rate Limiter\nAuth: 5 req/min\nGeneral: 100 req/min}

    RL -->|Exceeded| R429[429 Too Many Requests]
    RL -->|OK| LOG[5. Morgan Logger\nWinston transport\nCombined format]

    LOG --> ROUTE[6. Router\n/api/v1/*]

    ROUTE --> AUTH{authGuard\nVerify Bearer JWT}
    AUTH -->|No token| R401A[401 NO_TOKEN]
    AUTH -->|Expired| R401B[401 TOKEN_EXPIRED]
    AUTH -->|Invalid| R401C[401 INVALID_TOKEN]
    AUTH -->|Valid| ATTACH[Attach req.user\n{id, email, role, orgId}]

    ATTACH --> ROLE{roleGuard\nCheck allowed roles}
    ROLE -->|Insufficient| R403[403 INSUFFICIENT_PERMISSIONS]
    ROLE -->|Authorized| VALID{validate\nZod schema}

    VALID -->|Fails| R422[422 VALIDATION_ERROR]
    VALID -->|Passes| SCOPE[organizationScope\nAttach req.organizationId]

    SCOPE --> HANDLER[Route Handler\nBusiness Logic + Prisma]

    HANDLER --> AUDIT[Prisma Middleware\nLoggedAction INSERT]
    AUDIT --> RESP[200/201/204 Response]

    HANDLER -->|Error thrown| ERR[7. Error Handler\nMUST be last middleware]
    ERR --> FMTERR[Format error response\n{error, code, details}]
    FMTERR --> ERRRESP[4xx/500 Response]

    style REQ fill:#00E5A0,color:#000
    style R429 fill:#f87171,color:#fff
    style R401A fill:#f87171,color:#fff
    style R401B fill:#f87171,color:#fff
    style R401C fill:#f87171,color:#fff
    style R403 fill:#f87171,color:#fff
    style R422 fill:#f87171,color:#fff
    style RESP fill:#4ade80,color:#000

import express from 'express'
import helmet from 'helmet'
import cors from 'cors'
import rateLimit from 'express-rate-limit'
import { authGuard, roleGuard } from './middleware/auth'
import { validate } from './middleware/validation'
import { errorHandler } from './middleware/error-handler'

const app = express()

// 1. Security headers (helmet)
app.use(helmet())

// 2. CORS configuration
app.use(cors(corsOptions))

// 3. Body parsing
app.use(express.json({ limit: '10mb' }))
app.use(express.urlencoded({ extended: true }))

// 4. Rate limiting
app.use(rateLimiter)

// 5. Request logging (Morgan)
app.use(morgan('combined'))

// 6. Routes (with auth + validation per-route)
app.use('/api/v1', routes)

// 7. Error handler (MUST be last)
app.use(errorHandler)

1. Helmet (Security Headers)

Purpose: Sets HTTP security headers to prevent common attacks.

Installation:

npm install helmet

Configuration:

import helmet from 'helmet'

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],  // Allow inline styles for Next.js
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", "data:", "https://r2.bilko.io"],  // Cloudflare R2
      connectSrc: ["'self'", "https://api.bilko.io"],
      fontSrc: ["'self'"],
      objectSrc: ["'none'"],
      upgradeInsecureRequests: []
    }
  },
  hsts: {
    maxAge: 31536000,            // 1 year
    includeSubDomains: true,
    preload: true
  },
  frameguard: { action: 'deny' },  // Prevent clickjacking
  noSniff: true,                   // Prevent MIME sniffing
  xssFilter: true                  // Enable XSS filter
}))

Headers set:

2. CORS (Cross-Origin Resource Sharing)

Purpose: Allow frontend (Next.js) to call backend API from different origin.

Installation:

npm install cors

Configuration:

import cors from 'cors'

const corsOptions = {
  origin: (origin, callback) => {
    const allowedOrigins = [
      'https://bilko.io',
      'https://www.bilko.io',
      'http://localhost:3000'  // Development only
    ]

    if (!origin || allowedOrigins.includes(origin)) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  },
  credentials: true,              // Allow cookies (refresh tokens)
  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  exposedHeaders: ['X-Total-Count', 'X-Page-Count'],  // For pagination
  maxAge: 86400                   // Cache preflight for 24h
}

app.use(cors(corsOptions))

Why credentials: true?

3. Body Parsing

Purpose: Parse JSON request bodies.

Built-in Express middleware:

app.use(express.json({
  limit: '10mb',                  // Max request body size
  strict: true,                   // Reject non-arrays/objects
  type: 'application/json'
}))

app.use(express.urlencoded({
  extended: true,
  limit: '10mb'
}))

Limits:

4. Rate Limiting

Purpose: Prevent abuse, brute-force attacks, DDoS.

Installation:

npm install express-rate-limit

Configuration:

import rateLimit from 'express-rate-limit'

// General API rate limiter
const apiLimiter = rateLimit({
  windowMs: 60 * 1000,            // 1 minute
  max: 100,                       // Max 100 requests per minute
  message: {
    error: 'Too many requests',
    code: 'RATE_LIMIT_EXCEEDED',
    retryAfter: 60
  },
  standardHeaders: true,          // Return RateLimit-* headers
  legacyHeaders: false,
  handler: (req, res) => {
    res.status(429).json({
      error: 'Too many requests',
      code: 'RATE_LIMIT_EXCEEDED',
      retryAfter: 60
    })
  }
})

// Auth rate limiter (stricter)
const authLimiter = rateLimit({
  windowMs: 60 * 1000,            // 1 minute
  max: 5,                         // Max 5 login attempts per minute
  skipSuccessfulRequests: true,  // Don't count successful logins
  keyGenerator: (req) => {
    return req.ip                 // Rate limit by IP
  }
})

// Apply to routes
app.use('/api/v1', apiLimiter)
app.use('/api/v1/auth/login', authLimiter)
app.use('/api/v1/auth/register', authLimiter)

Rate limits by endpoint:

Endpoint Limit Window Why
/api/v1/auth/login 5 1 min Prevent brute-force
/api/v1/auth/register 5 1 min Prevent spam registration
/api/v1/* (general) 100 1 min General API protection
Write ops (POST/PUT/PATCH) 50 1 min Prevent resource exhaustion

5. Request Logging

Purpose: Log all HTTP requests for debugging and monitoring.

Installation:

npm install morgan
npm install winston

Configuration:

import morgan from 'morgan'
import winston from 'winston'

// Winston logger
const logger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.File({ filename: 'error.log', level: 'error' }),
    new winston.transports.File({ filename: 'combined.log' })
  ]
})

if (process.env.NODE_ENV !== 'production') {
  logger.add(new winston.transports.Console({
    format: winston.format.simple()
  }))
}

// Morgan HTTP logging
app.use(morgan('combined', {
  stream: {
    write: (message) => logger.info(message.trim())
  }
}))

Log format:

:remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"

Example:

192.168.1.100 - user@example.com [20/Feb/2026:10:30:15 +0000] "POST /api/v1/invoices HTTP/1.1" 201 512 "https://bilko.io" "Mozilla/5.0..."

Per-Route Middleware Composition

graph LR
    subgraph PUBLIC [Public Routes — No Auth]
        P1["POST /auth/register\n[rateLimiter(5/min)] → handler"]
        P2["POST /auth/login\n[rateLimiter(5/min)] → handler"]
        P3["POST /auth/refresh\n[rateLimiter(100/min)] → handler"]
        P4["GET /track/email/:id\n[handler — tracking pixel]"]
    end

    subgraph VIEWER [Viewer Routes — All Roles]
        V1["GET /invoices\n[auth] → [orgScope] → handler"]
        V2["GET /reports/*\n[auth] → [orgScope] → handler"]
        V3["GET /contacts\n[auth] → [orgScope] → handler"]
    end

    subgraph ACCOUNTANT [Accountant+ Routes]
        A1["POST /invoices\n[auth] → [role:owner,admin,accountant]\n→ [validate] → [orgScope] → handler"]
        A2["POST /expenses\n[auth] → [role:owner,admin,accountant]\n→ [validate] → handler"]
        A3["POST /transactions\n[auth] → [role:owner,admin,accountant]\n→ [validate] → handler"]
    end

    subgraph ADMIN [Admin+ Routes]
        AD1["PATCH /expenses/:id/approve\n[auth] → [role:owner,admin] → handler"]
        AD2["POST /users/invite\n[auth] → [role:owner,admin] → handler"]
        AD3["PUT /organization\n[auth] → [role:owner,admin] → handler"]
    end

    subgraph OWNER [Owner-Only Routes]
        O1["DELETE /users/:id\n[auth] → [role:owner] → handler"]
        O2["PUT /users/:id/role\n[auth] → [role:owner] → handler"]
        O3["DELETE /organization\n[auth] → [role:owner] → handler"]
    end

    style PUBLIC fill:#e2e8f0,color:#000
    style VIEWER fill:#dcfce7,color:#000
    style ACCOUNTANT fill:#fef9c3,color:#000
    style ADMIN fill:#dbeafe,color:#000
    style OWNER fill:#fce7f3,color:#000

6. Authentication Middleware

Purpose: Verify JWT access token, attach user to request.

Implementation:

import jwt from 'jsonwebtoken'
import { Request, Response, NextFunction } from 'express'

interface AuthRequest extends Request {
  user?: {
    id: string
    email: string
    role: 'owner' | 'admin' | 'accountant' | 'viewer'
    organizationId: string
  }
}

export async function authGuard(req: AuthRequest, res: Response, next: NextFunction) {
  const authHeader = req.headers.authorization

  if (!authHeader || !authHeader.startsWith('Bearer ')) {
    return res.status(401).json({
      error: 'Unauthorized',
      code: 'NO_TOKEN'
    })
  }

  const token = authHeader.substring(7)  // Remove 'Bearer '

  try {
    const payload = jwt.verify(token, process.env.JWT_SECRET!) as {
      sub: string
      email: string
      role: string
      orgId: string
    }

    // Attach user to request
    req.user = {
      id: payload.sub,
      email: payload.email,
      role: payload.role as any,
      organizationId: payload.orgId
    }

    next()
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      return res.status(401).json({
        error: 'Token expired',
        code: 'TOKEN_EXPIRED'
      })
    }

    if (error.name === 'JsonWebTokenError') {
      return res.status(401).json({
        error: 'Invalid token',
        code: 'INVALID_TOKEN'
      })
    }

    return res.status(500).json({
      error: 'Authentication error',
      code: 'AUTH_ERROR'
    })
  }
}

Usage in routes:

app.get('/api/v1/invoices', authGuard, getInvoices)

7. Role-Based Access Control (RBAC)

Purpose: Restrict endpoints by user role.

Implementation:

type UserRole = 'owner' | 'admin' | 'accountant' | 'viewer'

export function roleGuard(allowedRoles: UserRole[]) {
  return (req: AuthRequest, res: Response, next: NextFunction) => {
    if (!req.user) {
      return res.status(401).json({
        error: 'Unauthorized',
        code: 'NO_AUTH'
      })
    }

    if (!allowedRoles.includes(req.user.role)) {
      return res.status(403).json({
        error: 'Forbidden',
        code: 'INSUFFICIENT_PERMISSIONS',
        details: {
          required: allowedRoles,
          current: req.user.role
        }
      })
    }

    next()
  }
}

Usage in routes:

// Only owner and admin can delete users
app.delete('/api/v1/users/:id',
  authGuard,
  roleGuard(['owner', 'admin']),
  deleteUser
)

// Everyone can view invoices
app.get('/api/v1/invoices',
  authGuard,
  getInvoices
)

// Only owner, admin, accountant can create invoices
app.post('/api/v1/invoices',
  authGuard,
  roleGuard(['owner', 'admin', 'accountant']),
  createInvoice
)

8. Request Validation

Purpose: Validate request body, query, params with Zod schemas.

Installation:

npm install zod

Implementation:

import { z } from 'zod'
import { Request, Response, NextFunction } from 'express'

type ValidateTarget = 'body' | 'query' | 'params'

export function validate(schema: z.ZodSchema, target: ValidateTarget = 'body') {
  return (req: Request, res: Response, next: NextFunction) => {
    try {
      const data = req[target]
      const validated = schema.parse(data)

      // Replace with validated data (coerced types)
      req[target] = validated

      next()
    } catch (error) {
      if (error instanceof z.ZodError) {
        return res.status(422).json({
          error: 'Validation failed',
          code: 'VALIDATION_ERROR',
          details: error.flatten().fieldErrors
        })
      }

      return res.status(500).json({
        error: 'Validation error',
        code: 'VALIDATION_ERROR'
      })
    }
  }
}

Usage in routes:

import { z } from 'zod'

const createInvoiceSchema = z.object({
  customerId: z.string().uuid(),
  invoiceDate: z.string().date(),
  dueDate: z.string().date(),
  items: z.array(z.object({
    description: z.string().min(1).max(500),
    quantity: z.number().positive(),
    unitPrice: z.number().positive(),
    taxRate: z.number().min(0).max(100)
  })).min(1)
})

app.post('/api/v1/invoices',
  authGuard,
  roleGuard(['owner', 'admin', 'accountant']),
  validate(createInvoiceSchema, 'body'),
  createInvoice
)

Error response:

{
  "error": "Validation failed",
  "code": "VALIDATION_ERROR",
  "details": {
    "customerId": ["Invalid UUID"],
    "items.0.quantity": ["Must be positive"]
  }
}

9. Organization Scoping

Purpose: Automatically filter all queries by organizationId to enforce multi-tenancy.

Implementation:

export function organizationScope(req: AuthRequest, res: Response, next: NextFunction) {
  if (!req.user) {
    return res.status(401).json({
      error: 'Unauthorized',
      code: 'NO_AUTH'
    })
  }

  // Attach organizationId to request for easy access
  req.organizationId = req.user.organizationId

  next()
}

Usage in Prisma queries:

async function getInvoices(req: AuthRequest, res: Response) {
  const invoices = await prisma.invoice.findMany({
    where: {
      organizationId: req.user!.organizationId  // Always filter by org
    }
  })

  res.json({ data: invoices })
}

CRITICAL: NEVER allow cross-organization queries. Always filter by organizationId.

10. Error Handler

Purpose: Catch all errors, format consistently, log, return to client.

MUST be the last middleware.

flowchart TD
    ERR[Error Thrown by any Middleware or Handler]
    ERR --> LOG_ERR[Log to Winston:\nmessage, stack, path, method, userId]
    LOG_ERR --> TYPE{Error Type?}

    TYPE -->|PrismaClientKnownRequestError| PRISMA{Prisma Code?}
    PRISMA -->|P2002 Unique violation| R400A[400 DUPLICATE_RESOURCE\n{field: target}]
    PRISMA -->|P2003 Foreign key| R404A[404 FOREIGN_KEY_ERROR]
    PRISMA -->|P2025 Record not found| R404B[404 NOT_FOUND]
    PRISMA -->|Other| R500[500 INTERNAL_ERROR]

    TYPE -->|ValidationError| R422[422 VALIDATION_ERROR]
    TYPE -->|JsonWebTokenError| R401A[401 INVALID_TOKEN]
    TYPE -->|TokenExpiredError| R401B[401 AUTH_ERROR]
    TYPE -->|Custom AppError| CUSTOM[err.status / err.code]
    TYPE -->|Unknown| R500

    R400A & R404A & R404B & R422 & R401A & R401B & CUSTOM & R500 --> FORMAT[Format Response:\n{ error, code, details? }]
    FORMAT --> SEND[Send to Client]

    style ERR fill:#f87171,color:#fff
    style R500 fill:#dc2626,color:#fff
    style FORMAT fill:#60a5fa,color:#000

Implementation:

import { Request, Response, NextFunction } from 'express'
import { Prisma } from '@prisma/client'

export function errorHandler(err: any, req: Request, res: Response, next: NextFunction) {
  // Log error
  logger.error('Error:', {
    message: err.message,
    stack: err.stack,
    path: req.path,
    method: req.method,
    user: req.user?.id
  })

  // Prisma errors
  if (err instanceof Prisma.PrismaClientKnownRequestError) {
    // Unique constraint violation
    if (err.code === 'P2002') {
      return res.status(400).json({
        error: 'Resource already exists',
        code: 'DUPLICATE_RESOURCE',
        details: { field: err.meta?.target }
      })
    }

    // Foreign key constraint violation
    if (err.code === 'P2003') {
      return res.status(404).json({
        error: 'Related resource not found',
        code: 'FOREIGN_KEY_ERROR'
      })
    }

    // Record not found
    if (err.code === 'P2025') {
      return res.status(404).json({
        error: 'Resource not found',
        code: 'NOT_FOUND'
      })
    }
  }

  // Validation errors (already handled by validate middleware)
  if (err.name === 'ValidationError') {
    return res.status(422).json({
      error: err.message,
      code: 'VALIDATION_ERROR'
    })
  }

  // JWT errors (already handled by authGuard)
  if (err.name === 'JsonWebTokenError' || err.name === 'TokenExpiredError') {
    return res.status(401).json({
      error: 'Authentication failed',
      code: 'AUTH_ERROR'
    })
  }

  // Default error
  res.status(err.status || 500).json({
    error: err.message || 'Internal server error',
    code: err.code || 'INTERNAL_ERROR'
  })
}

Error response format:

{
  "error": "Human-readable error message",
  "code": "MACHINE_READABLE_CODE",
  "details": {
    "field": "Additional context"
  }
}

Complete Middleware Stack Example

import express from 'express'
import helmet from 'helmet'
import cors from 'cors'
import morgan from 'morgan'
import rateLimit from 'express-rate-limit'
import { authGuard, roleGuard, organizationScope } from './middleware/auth'
import { validate } from './middleware/validation'
import { errorHandler } from './middleware/error-handler'
import routes from './routes'

const app = express()

// 1. Security headers
app.use(helmet(helmetConfig))

// 2. CORS
app.use(cors(corsOptions))

// 3. Body parsing
app.use(express.json({ limit: '10mb' }))
app.use(express.urlencoded({ extended: true }))

// 4. Rate limiting
app.use('/api/v1', apiLimiter)
app.use('/api/v1/auth/login', authLimiter)
app.use('/api/v1/auth/register', authLimiter)

// 5. Request logging
app.use(morgan('combined', { stream: logger.stream }))

// 6. Routes
app.use('/api/v1', routes)

// 7. Error handler (MUST be last)
app.use(errorHandler)

// Start server
const PORT = process.env.PORT || 4000
app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`)
})

Middleware Testing

Unit tests for each middleware:

import { describe, it, expect } from 'vitest'
import request from 'supertest'
import app from '../app'

describe('Auth Middleware', () => {
  it('blocks request without token', async () => {
    const res = await request(app).get('/api/v1/invoices')
    expect(res.status).toBe(401)
    expect(res.body.code).toBe('NO_TOKEN')
  })

  it('blocks request with expired token', async () => {
    const expiredToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
    const res = await request(app)
      .get('/api/v1/invoices')
      .set('Authorization', `Bearer ${expiredToken}`)

    expect(res.status).toBe(401)
    expect(res.body.code).toBe('TOKEN_EXPIRED')
  })

  it('allows request with valid token', async () => {
    const validToken = generateToken({ sub: 'user-id', role: 'owner', orgId: 'org-id' })
    const res = await request(app)
      .get('/api/v1/invoices')
      .set('Authorization', `Bearer ${validToken}`)

    expect(res.status).not.toBe(401)
  })
})

describe('Role Guard', () => {
  it('blocks accountant from deleting users', async () => {
    const token = generateToken({ sub: 'user-id', role: 'accountant', orgId: 'org-id' })
    const res = await request(app)
      .delete('/api/v1/users/other-user-id')
      .set('Authorization', `Bearer ${token}`)

    expect(res.status).toBe(403)
    expect(res.body.code).toBe('INSUFFICIENT_PERMISSIONS')
  })
})

End of Middleware Documentation

Backend

External Services Integration

Bilko External Services

Status: SPECIFICATION (backend not implemented) Last updated: 2026-02-20

Purpose

This document specifies the external service integrations for Bilko's backend. Covers email delivery, file storage, exchange rates, and PDF generation.

Service Integration Architecture

graph TD
    subgraph BILKO [Bilko Backend — apps/api]
        API[Express API\nPort 4000]
        PDF[PDF Service\nPuppeteer]
        RATE[Exchange Rate Service\nCron: daily 00:00 UTC]
        AUDIT[Prisma Middleware\nAudit Logger]
    end

    subgraph EXTERNAL [External Services]
        SG[SendGrid\nnoreply@bilko.io\n100 emails/day free]
        R2[Cloudflare R2\nbilko-files bucket\n10GB free]
        ECB[ECB API\nexchangerate.host\nFree, daily rates]
        FIXER[Fixer.io\n100 req/month free\nFallback]
        CLAM[ClamAV\nVirus Scanner\nlocalhost:3310]
    end

    subgraph STORAGE [Database]
        PG[PostgreSQL 14+\nAll data\nExchangeRate cache]
    end

    API -->|Invoice email + PDF| SG
    API -->|Receipt upload| R2
    PDF -->|Store generated PDF| R2
    RATE -->|Primary rates fetch| ECB
    RATE -->|Fallback if ECB fails| FIXER
    ECB & FIXER -->|Store in DB| PG
    API -->|Scan uploaded files| CLAM
    API -->|All reads/writes| PG
    AUDIT -->|Append-only log| PG

    style SG fill:#00b0f0,color:#fff
    style R2 fill:#f6821f,color:#fff
    style ECB fill:#0070f3,color:#fff
    style FIXER fill:#6366f1,color:#fff
    style PG fill:#336791,color:#fff
    style CLAM fill:#e53e3e,color:#fff

Table of Contents

  1. SendGrid (Email Delivery)
  2. Cloudflare R2 (File Storage)
  3. Exchange Rate APIs
  4. PDF Generation
  5. Error Handling & Fallbacks

1. SendGrid (Email Delivery)

Purpose

Send invoice emails, payment reminders, user invitations, and password resets.

Invoice Email + Tracking Flow

sequenceDiagram
    participant API as Bilko API
    participant PDF as PDF Service\n(Puppeteer)
    participant R2 as Cloudflare R2
    participant SG as SendGrid
    participant CUSTOMER as Customer Email

    Note over API,CUSTOMER: Invoice Send Flow
    API->>PDF: generateInvoicePDF(invoiceId)
    PDF->>PDF: Launch headless Chromium\nRender HTML template\nExport A4 PDF
    PDF-->>API: PDF Buffer
    API->>R2: PUT invoices/{orgId}/INV-2026-001.pdf
    R2-->>API: Public URL stored
    API->>API: Update invoice.pdfUrl
    API->>SG: sendEmail({ to, subject, html, attachment:pdf })
    SG-->>API: { messageId }
    API->>API: Update invoice.sentAt, status='sent'
    SG->>CUSTOMER: Deliver email with PDF attachment
    CUSTOMER->>API: GET /track/email/{invoiceId}\n[1x1 pixel load]
    API->>API: UPDATE invoice SET status='viewed'\nviewedAt=now()

Setup

Account: SendGrid (free tier: 100 emails/day)

Installation:

npm install @sendgrid/mail

Environment Variables:

SENDGRID_API_KEY=SG.xxxxx
SENDGRID_FROM_EMAIL=noreply@bilko.io
SENDGRID_FROM_NAME=Bilko

Configuration

import sgMail from '@sendgrid/mail'

sgMail.setApiKey(process.env.SENDGRID_API_KEY!)

interface SendEmailOptions {
  to: string | string[]
  cc?: string[]
  bcc?: string[]
  subject: string
  text: string
  html: string
  attachments?: Array<{
    content: string      // Base64 encoded
    filename: string
    type: string         // MIME type
    disposition: 'attachment' | 'inline'
  }>
}

async function sendEmail(options: SendEmailOptions) {
  const msg = {
    to: options.to,
    cc: options.cc,
    bcc: options.bcc,
    from: {
      email: process.env.SENDGRID_FROM_EMAIL!,
      name: process.env.SENDGRID_FROM_NAME!
    },
    subject: options.subject,
    text: options.text,
    html: options.html,
    attachments: options.attachments
  }

  try {
    const response = await sgMail.send(msg)
    return {
      success: true,
      messageId: response[0].headers['x-message-id']
    }
  } catch (error) {
    logger.error('SendGrid error:', error)
    throw new Error('Failed to send email')
  }
}

Email Templates

1. Invoice Email

Template variables:

HTML template:

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>Invoice {{ invoiceNumber }}</title>
  <style>
    body { font-family: Inter, sans-serif; }
    .container { max-width: 600px; margin: 0 auto; padding: 20px; }
    .header { background: #09090b; color: #fff; padding: 20px; text-align: center; }
    .content { padding: 20px; background: #f9fafb; }
    .footer { padding: 20px; text-align: center; color: #6b7280; }
    .button { display: inline-block; padding: 12px 24px; background: #00E5A0; color: #000; text-decoration: none; border-radius: 6px; }
  </style>
</head>
<body>
  <div class="container">
    <div class="header">
      <h1>{{ organizationName }}</h1>
    </div>
    <div class="content">
      <p>Dear {{ customerName }},</p>
      <p>Your invoice <strong>{{ invoiceNumber }}</strong> is ready.</p>
      <table>
        <tr><td>Amount:</td><td><strong>{{ totalAmount }} {{ currencyCode }}</strong></td></tr>
        <tr><td>Due Date:</td><td>{{ dueDate }}</td></tr>
      </table>
      <p><a href="{{ viewInvoiceUrl }}" class="button">View Invoice</a></p>
      <p>Thank you for your business!</p>
    </div>
    <div class="footer">
      <p>Powered by <a href="https://bilko.io">Bilko</a></p>
    </div>
  </div>
  <!-- Tracking pixel -->
  <img src="{{ trackingPixelUrl }}" width="1" height="1" />
</body>
</html>

Attachment: Invoice PDF (generated via PDF service)

2. User Invitation Email

Template variables:

Subject: {{ inviterName }} invited you to {{ organizationName }} on Bilko

3. Password Reset Email

Template variables:

Subject: Reset your Bilko password

Email Tracking

Purpose: Track when customer views invoice email (for viewedAt timestamp).

How it works:

  1. Embed 1x1 transparent pixel in email HTML
  2. Pixel URL: https://api.bilko.io/track/email/{{ invoiceId }}
  3. When customer opens email, browser loads pixel
  4. Backend endpoint logs view:
app.get('/track/email/:invoiceId', async (req, res) => {
  const { invoiceId } = req.params

  await prisma.invoice.update({
    where: { id: invoiceId },
    data: {
      status: 'viewed',
      viewedAt: new Date()
    }
  })

  // Return 1x1 transparent GIF
  const pixel = Buffer.from(
    'R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7',
    'base64'
  )
  res.writeHead(200, {
    'Content-Type': 'image/gif',
    'Content-Length': pixel.length
  })
  res.end(pixel)
})

Rate Limits

SendGrid free tier:

Recommendation for MVP: Free tier sufficient for testing. Upgrade to paid plan at launch.

2. Cloudflare R2 (File Storage)

Purpose

Store invoice PDFs and expense receipts.

Why R2 over S3:

Setup

Account: Cloudflare (free tier: 10GB storage)

Installation:

npm install @aws-sdk/client-s3
npm install @aws-sdk/s3-request-presigner

Environment Variables:

R2_ACCOUNT_ID=your-account-id
R2_ACCESS_KEY_ID=your-access-key
R2_SECRET_ACCESS_KEY=your-secret-key
R2_BUCKET_NAME=bilko-files
R2_PUBLIC_URL=https://r2.bilko.io

Configuration

import { S3Client, PutObjectCommand, GetObjectCommand } from '@aws-sdk/client-s3'
import { getSignedUrl } from '@aws-sdk/s3-request-presigner'

const s3 = new S3Client({
  region: 'auto',
  endpoint: `https://${process.env.R2_ACCOUNT_ID}.r2.cloudflarestorage.com`,
  credentials: {
    accessKeyId: process.env.R2_ACCESS_KEY_ID!,
    secretAccessKey: process.env.R2_SECRET_ACCESS_KEY!
  }
})

interface UploadFileOptions {
  key: string             // File path (e.g., "invoices/INV-2026-001.pdf")
  body: Buffer | Uint8Array
  contentType: string     // MIME type
  metadata?: Record<string, string>
}

async function uploadFile(options: UploadFileOptions): Promise<string> {
  const command = new PutObjectCommand({
    Bucket: process.env.R2_BUCKET_NAME!,
    Key: options.key,
    Body: options.body,
    ContentType: options.contentType,
    Metadata: options.metadata
  })

  await s3.send(command)

  // Return public URL
  return `${process.env.R2_PUBLIC_URL}/${options.key}`
}

async function getSignedDownloadUrl(key: string, expiresIn: number = 3600): Promise<string> {
  const command = new GetObjectCommand({
    Bucket: process.env.R2_BUCKET_NAME!,
    Key: key
  })

  return getSignedUrl(s3, command, { expiresIn })
}

File Organization

Bucket structure:

bilko-files/
├── invoices/
│   ├── org-uuid-1/
│   │   ├── INV-2026-001.pdf
│   │   └── INV-2026-002.pdf
│   └── org-uuid-2/
│       └── INV-2026-001.pdf
├── receipts/
│   ├── org-uuid-1/
│   │   ├── EXP-2026-001.jpg
│   │   └── EXP-2026-002.pdf
│   └── org-uuid-2/
└── exports/
    └── org-uuid-1/
        └── report-2026-02-20.xlsx

Key format: {category}/{organizationId}/{filename}

File Upload Workflow

Invoice PDF:

async function storeInvoicePDF(invoiceId: string, organizationId: string, pdf: Buffer): Promise<string> {
  const invoice = await prisma.invoice.findUnique({ where: { id: invoiceId } })
  const filename = `${invoice.invoiceNumber}.pdf`
  const key = `invoices/${organizationId}/${filename}`

  const url = await uploadFile({
    key,
    body: pdf,
    contentType: 'application/pdf',
    metadata: {
      invoiceId,
      organizationId,
      uploadedAt: new Date().toISOString()
    }
  })

  await prisma.invoice.update({
    where: { id: invoiceId },
    data: { pdfUrl: url }
  })

  return url
}

Expense Receipt:

async function storeExpenseReceipt(expenseId: string, organizationId: string, file: Express.Multer.File): Promise<string> {
  const expense = await prisma.expense.findUnique({ where: { id: expenseId } })
  const ext = file.mimetype.split('/')[1]  // 'pdf', 'jpeg', 'png'
  const filename = `${expense.expenseNumber}.${ext}`
  const key = `receipts/${organizationId}/${filename}`

  const url = await uploadFile({
    key,
    body: file.buffer,
    contentType: file.mimetype,
    metadata: {
      expenseId,
      organizationId,
      uploadedAt: new Date().toISOString()
    }
  })

  await prisma.expense.update({
    where: { id: expenseId },
    data: { receiptUrl: url }
  })

  return url
}

Security

1. Signed URLs for private files:

2. Virus scanning:

npm install clamscan

import NodeClam from 'clamscan'

const clam = await new NodeClam().init({
  clamdscan: {
    host: 'localhost',
    port: 3310
  }
})

async function scanFile(filePath: string): Promise<boolean> {
  const { isInfected } = await clam.scanFile(filePath)
  return !isInfected
}

3. Exchange Rate APIs

Purpose

Fetch daily exchange rates for multi-currency support.

Exchange Rate Fetch & Fallback Flow

flowchart TD
    CRON[Cron Job\nDaily at 00:00 UTC]
    CRON --> ECB[Fetch from ECB API\nexchangerate.host/latest?base=EUR]

    ECB --> ECB_OK{Success?}
    ECB_OK -->|Yes| STORE[Upsert ExchangeRate records\nsource='ECB']
    ECB_OK -->|No| FIXER[Fallback: Fixer.io\napi.fixer.io/latest]

    FIXER --> FIX_OK{Success?}
    FIX_OK -->|Yes| STORE2[Upsert ExchangeRate records\nsource='fixer.io']
    FIX_OK -->|No| PREV[Use yesterday's rates\nWarn in logs]

    STORE & STORE2 & PREV --> AVAIL[Rates available in DB\nfor transaction date locking]

    subgraph LOOKUP [Rate Lookup at Transaction Time]
        L1[getExchangeRate\nbaseCurrency, targetCurrency, date]
        L2{Same currency?}
        L3[Return rate = 1.0]
        L4[Find exact date in DB]
        L5{Found?}
        L6[Return rate]
        L7[Find nearest available date\norderBy effectiveDate DESC]
        L8[Warn in logs\nReturn nearest rate]

        L1 --> L2
        L2 -->|Yes| L3
        L2 -->|No| L4
        L4 --> L5
        L5 -->|Yes| L6
        L5 -->|No| L7
        L7 --> L8
    end

    AVAIL --> LOOKUP
    style PREV fill:#fb923c,color:#000
    style L8 fill:#fb923c,color:#000

Primary: European Central Bank (ECB)

Endpoint: https://api.exchangerate.host/latest

Free: Yes (unlimited)

Example:

async function fetchECBRates(baseCurrency: string = 'EUR'): Promise<Record<string, number>> {
  const url = `https://api.exchangerate.host/latest?base=${baseCurrency}`

  const response = await fetch(url)
  const data = await response.json()

  if (!data.success) {
    throw new Error('ECB API error')
  }

  return data.rates  // { RSD: 117.50, BAM: 1.95, HRK: 7.53, USD: 1.07 }
}

Fallback: Fixer.io

Endpoint: https://api.fixer.io/latest

Free tier: 100 requests/month

Environment Variables:

FIXER_API_KEY=your-api-key

Example:

async function fetchFixerRates(baseCurrency: string = 'EUR'): Promise<Record<string, number>> {
  const url = `https://api.fixer.io/latest?base=${baseCurrency}&access_key=${process.env.FIXER_API_KEY}`

  const response = await fetch(url)
  const data = await response.json()

  if (!data.success) {
    throw new Error('Fixer.io API error')
  }

  return data.rates
}

Exchange Rate Service

async function updateExchangeRates(): Promise<void> {
  try {
    // Try ECB first
    const rates = await fetchECBRates('EUR')

    // Store in database
    for (const [targetCurrency, rate] of Object.entries(rates)) {
      await prisma.exchangeRate.upsert({
        where: {
          baseCurrency_targetCurrency_effectiveDate: {
            baseCurrency: 'EUR',
            targetCurrency,
            effectiveDate: new Date()
          }
        },
        update: {
          rate,
          source: 'ECB',
          lastUpdated: new Date()
        },
        create: {
          baseCurrency: 'EUR',
          targetCurrency,
          rate,
          effectiveDate: new Date(),
          source: 'ECB'
        }
      })
    }

    logger.info('Exchange rates updated', { source: 'ECB', count: Object.keys(rates).length })
  } catch (error) {
    // Fallback to Fixer.io
    try {
      const rates = await fetchFixerRates('EUR')

      for (const [targetCurrency, rate] of Object.entries(rates)) {
        await prisma.exchangeRate.upsert({
          where: {
            baseCurrency_targetCurrency_effectiveDate: {
              baseCurrency: 'EUR',
              targetCurrency,
              effectiveDate: new Date()
            }
          },
          update: { rate, source: 'fixer.io', lastUpdated: new Date() },
          create: {
            baseCurrency: 'EUR',
            targetCurrency,
            rate,
            effectiveDate: new Date(),
            source: 'fixer.io'
          }
        })
      }

      logger.info('Exchange rates updated', { source: 'fixer.io', count: Object.keys(rates).length })
    } catch (fallbackError) {
      logger.error('Failed to update exchange rates', { error: fallbackError })
      // Use yesterday's rates (better than nothing)
    }
  }
}

// Schedule: Daily at 00:00 UTC
cron.schedule('0 0 * * *', updateExchangeRates)

Get Exchange Rate

async function getExchangeRate(
  baseCurrency: string,
  targetCurrency: string,
  date: Date = new Date()
): Promise<number> {
  // If same currency, rate = 1.0
  if (baseCurrency === targetCurrency) {
    return 1.0
  }

  // Find rate for exact date
  let rate = await prisma.exchangeRate.findUnique({
    where: {
      baseCurrency_targetCurrency_effectiveDate: {
        baseCurrency,
        targetCurrency,
        effectiveDate: date
      }
    }
  })

  // If not found, use nearest available rate
  if (!rate) {
    rate = await prisma.exchangeRate.findFirst({
      where: { baseCurrency, targetCurrency },
      orderBy: { effectiveDate: 'desc' }
    })
  }

  if (!rate) {
    throw new Error(`No exchange rate found for ${baseCurrency} → ${targetCurrency}`)
  }

  return parseFloat(rate.rate.toString())
}

4. PDF Generation

Purpose

Generate invoice PDFs with organization branding.

Option 1: Puppeteer (Server-Side Rendering)

Installation:

npm install puppeteer

Implementation:

import puppeteer from 'puppeteer'

async function generateInvoicePDF(invoiceId: string): Promise<Buffer> {
  const invoice = await prisma.invoice.findUnique({
    where: { id: invoiceId },
    include: {
      customer: true,
      organization: true,
      items: true
    }
  })

  // Render HTML template
  const html = renderInvoiceHTML(invoice)

  // Launch headless browser
  const browser = await puppeteer.launch({
    headless: true,
    args: ['--no-sandbox', '--disable-setuid-sandbox']
  })

  const page = await browser.newPage()
  await page.setContent(html, { waitUntil: 'networkidle0' })

  // Generate PDF
  const pdf = await page.pdf({
    format: 'A4',
    printBackground: true,
    margin: { top: '1cm', right: '1cm', bottom: '1cm', left: '1cm' }
  })

  await browser.close()

  return pdf
}

Option 2: @react-pdf/renderer (React Components)

Installation:

npm install @react-pdf/renderer

Implementation:

import { Document, Page, Text, View, StyleSheet, pdf } from '@react-pdf/renderer'

const styles = StyleSheet.create({
  page: { padding: 30 },
  header: { fontSize: 24, marginBottom: 20 },
  table: { display: 'table', width: '100%' },
  row: { flexDirection: 'row', borderBottomWidth: 1, borderColor: '#ddd' },
  cell: { padding: 10 }
})

function InvoicePDF({ invoice }) {
  return (
    <Document>
      <Page style={styles.page}>
        <View style={styles.header}>
          <Text>{invoice.organization.name}</Text>
        </View>
        <Text>Invoice {invoice.invoiceNumber}</Text>
        <View style={styles.table}>
          {invoice.items.map((item) => (
            <View style={styles.row} key={item.id}>
              <Text style={styles.cell}>{item.description}</Text>
              <Text style={styles.cell}>{item.quantity}</Text>
              <Text style={styles.cell}>{item.unitPrice}</Text>
              <Text style={styles.cell}>{item.lineTotal}</Text>
            </View>
          ))}
        </View>
      </Page>
    </Document>
  )
}

async function generateInvoicePDF(invoiceId: string): Promise<Buffer> {
  const invoice = await fetchInvoiceData(invoiceId)
  const doc = <InvoicePDF invoice={invoice} />
  const pdfBlob = await pdf(doc).toBlob()
  return Buffer.from(await pdfBlob.arrayBuffer())
}

Recommendation: Puppeteer for MVP (more flexible HTML/CSS), React PDF for v2 (better TypeScript support).

5. Error Handling & Fallbacks

Circuit Breaker & Retry Pattern

stateDiagram-v2
    [*] --> closed : Initial state

    closed --> open : failures >= threshold (5)\nService marked as unavailable

    open --> half_open : timeout elapsed (60s)\nAttempt single test call

    half_open --> closed : Test call succeeded\nReset failure count

    half_open --> open : Test call failed\nReset timeout

    note right of closed
        Normal operation
        All calls pass through
        Failures counted
    end note

    note right of open
        All calls REJECTED immediately
        Error: "Circuit breaker is open"
        No calls to external service
    end note

    note right of half_open
        Single probe call allowed
        Determines if service recovered
    end note

Retry Strategy

For transient errors (network timeouts, rate limits):

async function withRetry<T>(
  fn: () => Promise<T>,
  maxRetries: number = 3,
  delay: number = 1000
): Promise<T> {
  for (let i = 0; i < maxRetries; i++) {
    try {
      return await fn()
    } catch (error) {
      if (i === maxRetries - 1) throw error

      logger.warn(`Retry ${i + 1}/${maxRetries}`, { error })
      await new Promise((resolve) => setTimeout(resolve, delay * (i + 1)))
    }
  }

  throw new Error('Retry limit exceeded')
}

// Usage
const rates = await withRetry(() => fetchECBRates('EUR'))

Circuit Breaker

For external services that frequently fail:

class CircuitBreaker {
  private failures = 0
  private threshold = 5
  private timeout = 60000  // 1 minute
  private state: 'closed' | 'open' | 'half-open' = 'closed'
  private nextAttempt = 0

  async execute<T>(fn: () => Promise<T>): Promise<T> {
    if (this.state === 'open') {
      if (Date.now() < this.nextAttempt) {
        throw new Error('Circuit breaker is open')
      }
      this.state = 'half-open'
    }

    try {
      const result = await fn()
      this.onSuccess()
      return result
    } catch (error) {
      this.onFailure()
      throw error
    }
  }

  private onSuccess() {
    this.failures = 0
    this.state = 'closed'
  }

  private onFailure() {
    this.failures++
    if (this.failures >= this.threshold) {
      this.state = 'open'
      this.nextAttempt = Date.now() + this.timeout
      logger.warn('Circuit breaker opened', { failures: this.failures })
    }
  }
}

const sendGridBreaker = new CircuitBreaker()

async function sendEmailWithBreaker(options: SendEmailOptions) {
  return sendGridBreaker.execute(() => sendEmail(options))
}

Graceful Degradation

If external service fails, degrade gracefully:

Example: Invoice email delivery

async function sendInvoiceEmail(invoiceId: string) {
  try {
    await sendEmail({ /* ... */ })
    await prisma.invoice.update({
      where: { id: invoiceId },
      data: { sentAt: new Date(), status: 'sent' }
    })
  } catch (error) {
    logger.error('Failed to send invoice email', { invoiceId, error })

    // Fallback: Mark invoice as sent but flag for manual email
    await prisma.invoice.update({
      where: { id: invoiceId },
      data: {
        status: 'draft',  // Keep in draft
        notes: `Email delivery failed: ${error.message}. Please send manually.`
      }
    })

    // Alert admin
    await sendSlackAlert('Invoice email delivery failed', { invoiceId })
  }
}

Environment Variables Summary

# SendGrid
SENDGRID_API_KEY=SG.xxxxx
SENDGRID_FROM_EMAIL=noreply@bilko.io
SENDGRID_FROM_NAME=Bilko

# Cloudflare R2
R2_ACCOUNT_ID=your-account-id
R2_ACCESS_KEY_ID=your-access-key
R2_SECRET_ACCESS_KEY=your-secret-key
R2_BUCKET_NAME=bilko-files
R2_PUBLIC_URL=https://r2.bilko.io

# Fixer.io (fallback)
FIXER_API_KEY=your-api-key

# Feature Flags
ENABLE_EMAIL_TRACKING=true
ENABLE_VIRUS_SCANNING=false  # For MVP

End of Services Documentation

Backend

API Coverage Report

API Coverage Report

Date: 2026-02-20 Purpose: Map every frontend page to required API endpoints. Verify 100% coverage. Status: Backend NOT implemented (specification only)

Coverage Matrix

Dashboard Page (/)

UI Element Data Required API Endpoint Status
Cash Balance metric Total bank account balances in base currency GET /api/v1/reports/dashboard COVERED
Revenue MTD metric Month-to-date revenue GET /api/v1/reports/dashboard COVERED
Unpaid Invoices metric Total unpaid invoices GET /api/v1/reports/dashboard COVERED
Expenses MTD metric Month-to-date expenses GET /api/v1/reports/dashboard COVERED
Profit MTD metric Month-to-date profit GET /api/v1/reports/dashboard COVERED
Cash Flow Change Percentage change from last month GET /api/v1/reports/dashboard COVERED
P&L Bar Chart 6-month monthly P&L data GET /api/v1/reports/dashboard COVERED
Receivables Aging Chart Receivables breakdown by age (current, 30d, 60d, 90d+) GET /api/v1/reports/dashboard COVERED
Expenses by Category Chart Expenses grouped by category GET /api/v1/reports/dashboard COVERED
Recent Transactions table Last 5 transactions GET /api/v1/transactions?perPage=5&sort=transactionDate&order=desc COVERED

Invoices List Page (/invoices)

UI Element Data Required API Endpoint Status
Invoice list (all filters) Paginated invoices with filter/sort/search GET /api/v1/invoices?status=X&search=Y&fromDate=Z&toDate=W&page=P&perPage=20&sort=field&order=desc COVERED
Status filter options Invoice list filtered by status GET /api/v1/invoices?status={draft|sent|viewed|paid|overdue|cancelled} COVERED
Search (customer/number) Invoice list filtered by search query GET /api/v1/invoices?search={query} COVERED
Date range filter Invoice list filtered by date range GET /api/v1/invoices?fromDate=YYYY-MM-DD&toDate=YYYY-MM-DD COVERED
Summary totals by status Client-side calculation from filtered list N/A (client-side) COVERED
Edit invoice action Get invoice details for editing GET /api/v1/invoices/:id COVERED
Delete invoice action Delete invoice DELETE /api/v1/invoices/:id MISSING
Send invoice action Send invoice via email POST /api/v1/invoices/:id/send COVERED
Download PDF action Get invoice PDF GET /api/v1/invoices/:id/pdf COVERED

MISSING ENDPOINT:

Invoice Creation Wizard (/invoices/new)

Step UI Element Data Required API Endpoint Status
1 Customer dropdown List of customers GET /api/v1/contacts?type=customer COVERED
1 Add customer dialog Create new customer POST /api/v1/contacts COVERED
2 Invoice number Auto-generated invoice number Client-side generation (format: INV-YYYY-NNN) COVERED
2 Currency options List of supported currencies GET /api/v1/currencies COVERED
3 Line items Form input (no API needed) N/A COVERED
3 VAT rate options Tax rate configuration GET /api/v1/settings/tax-rates COVERED
4 Notes/Terms Form input (no API needed) N/A COVERED
5 Preview Client-side rendering of form data N/A COVERED
6 Save as Draft Create invoice with status=draft POST /api/v1/invoices COVERED
6 Send Invoice Create + send invoice POST /api/v1/invoices (then) POST /api/v1/invoices/:id/send COVERED
6 Download PDF Generate PDF GET /api/v1/invoices/:id/pdf COVERED

Expenses List Page (/expenses)

UI Element Data Required API Endpoint Status
Expense list Paginated expenses with filters GET /api/v1/expenses?period=X&category=Y&search=Z&page=P&perPage=20 COVERED
Period filter Expenses filtered by date range GET /api/v1/expenses?fromDate=YYYY-MM-DD&toDate=YYYY-MM-DD COVERED
Category filter Expenses filtered by category GET /api/v1/expenses?category={category} COVERED
Search (description/vendor) Expenses filtered by search query GET /api/v1/expenses (client-side search on fetched data) COVERED
Summary stats Client-side calculation from filtered list N/A (client-side) COVERED
Create expense Create new expense POST /api/v1/expenses COVERED
Upload receipt Upload receipt file POST /api/v1/expenses (multipart with receiptFile) COVERED
Edit expense Update expense (pending only) PUT /api/v1/expenses/:id COVERED
Approve expense Approve expense PATCH /api/v1/expenses/:id/approve COVERED
Delete expense Delete expense (pending only) DELETE /api/v1/expenses/:id COVERED
Download receipt Get receipt file GET /api/v1/expenses/:id/receipt MISSING

MISSING ENDPOINT:

Purchases Page (/purchases)

UI Element Data Required API Endpoint Status
(Same as /expenses) Same data as expenses page Same as /expenses COVERED

Note: This is an alias route to the expenses page. No additional API endpoints needed.

Banking Page (/banking)

Accounts Tab

UI Element Data Required API Endpoint Status
Bank account list List of bank accounts GET /api/v1/bank-accounts COVERED
Add bank account Create new bank account POST /api/v1/bank-accounts COVERED
Account balance Current balance per account GET /api/v1/bank-accounts (included in response) COVERED

Reconcile Tab

UI Element Data Required API Endpoint Status
Account selector List of bank accounts GET /api/v1/bank-accounts COVERED
Unreconciled transactions Unreconciled bank transactions for selected account GET /api/v1/bank-accounts/:id/transactions?reconciled=false COVERED
Match confidence Client-side calculation based on amount/date/description N/A (client-side) COVERED
Approve match Mark transaction as reconciled POST /api/v1/bank-accounts/:id/reconcile COVERED
Link to invoice/expense Link bank transaction to existing record POST /api/v1/bank-accounts/:id/reconcile (with transactionId) COVERED
Create new transaction Create GL transaction from unmatched bank transaction POST /api/v1/transactions COVERED

Transactions Tab

UI Element Data Required API Endpoint Status
All bank transactions All bank transactions (paginated) GET /api/v1/bank-accounts/:id/transactions COVERED
Reconciliation status filter Bank transactions filtered by reconciled status GET /api/v1/bank-accounts/:id/transactions?reconciled={true|false} COVERED
Date range filter Bank transactions filtered by date GET /api/v1/bank-accounts/:id/transactions?fromDate=X&toDate=Y COVERED

Import Transactions

UI Element Data Required API Endpoint Status
Import CSV Upload bank statement CSV POST /api/v1/bank-accounts/:id/import COVERED

Reports Hub Page (/reports)

UI Element Data Required API Endpoint Status
P&L Report preview Profit & Loss data for current month GET /api/v1/reports/profit-loss?from=YYYY-MM-01&to=YYYY-MM-DD COVERED
Balance Sheet preview Balance sheet data (coming soon) GET /api/v1/reports/balance-sheet?date=YYYY-MM-DD COVERED
Cash Flow preview Cash flow data (coming soon) GET /api/v1/reports/cash-flow?from=X&to=Y COVERED
VAT Report preview VAT report data (live at /reports/vat) GET /api/v1/reports/vat?from=X&to=Y COVERED
Trial Balance preview Trial balance data (coming soon) GET /api/v1/reports/trial-balance?date=YYYY-MM-DD COVERED
General Ledger preview Transaction list (coming soon) GET /api/v1/transactions COVERED

VAT Report Page (/reports/vat)

Step UI Element Data Required API Endpoint Status
1 Reconciliation status check Count of unreconciled bank transactions GET /api/v1/bank-accounts (aggregate unreconciled count client-side) PARTIAL
2 VAT transaction table All invoices and expenses with VAT for period GET /api/v1/reports/vat?from=X&to=Y COVERED
2 Summary boxes (collected/paid/due) Calculated from VAT transaction data GET /api/v1/reports/vat?from=X&to=Y COVERED
3 VAT return boxes Formatted VAT return data GET /api/v1/reports/vat?from=X&to=Y COVERED
3 Export PDF Generate PDF report GET /api/v1/reports/vat/export/pdf?from=X&to=Y MISSING
3 Export XML Generate XML for e-filing GET /api/v1/reports/vat/export/xml?from=X&to=Y MISSING
3 Submit return Submit VAT return (Phase 2) POST /api/v1/reports/vat/submit MISSING

MISSING ENDPOINTS:

PARTIAL COVERAGE:

Settings Page (/settings)

Company Section

UI Element Data Required API Endpoint Status
Company profile form Organization data GET /api/v1/organization COVERED
Save company profile Update organization PUT /api/v1/organization COVERED

Users Section

UI Element Data Required API Endpoint Status
User list List of users in organization GET /api/v1/users COVERED
Invite user Send user invite POST /api/v1/users/invite COVERED
Change user role Update user role PUT /api/v1/users/:id/role COVERED
Remove user Delete user DELETE /api/v1/users/:id COVERED

Tax & Compliance Section

UI Element Data Required API Endpoint Status
Tax settings form Tax rate configuration GET /api/v1/settings/tax-rates COVERED
Save tax settings Update tax rates PUT /api/v1/settings/tax-rates COVERED
VAT registration toggle Update organization (vatNumber field) PUT /api/v1/organization COVERED

Integrations Section

UI Element Data Required API Endpoint Status
Connected integrations List of integrations GET /api/v1/integrations MISSING
Available integrations List of integrations GET /api/v1/integrations MISSING
Connect integration Connect to integration POST /api/v1/integrations/:id/connect MISSING
Disconnect integration Disconnect integration DELETE /api/v1/integrations/:id/disconnect MISSING

MISSING ENDPOINTS (Integrations): All integration-related endpoints are missing. These should be Phase 2, but placeholders needed:

Notifications Section

UI Element Data Required API Endpoint Status
Notification preferences User notification settings GET /api/v1/settings/notifications MISSING
Save preferences Update notification settings PATCH /api/v1/settings/notifications MISSING

MISSING ENDPOINTS (Notifications):

Security Section

UI Element Data Required API Endpoint Status
Enable 2FA Enable 2FA for user POST /api/v1/auth/2fa/enable MISSING
Disable 2FA Disable 2FA for user DELETE /api/v1/auth/2fa/disable MISSING
Session timeout User/org settings GET /api/v1/settings/security MISSING
Save security settings Update security settings PATCH /api/v1/settings/security MISSING
View audit log Audit trail GET /api/v1/security/audit-log MISSING
Request data export Export all data POST /api/v1/security/data-export MISSING
Delete company Delete organization DELETE /api/v1/organization MISSING

MISSING ENDPOINTS (Security):

Forms → API Mapping

Form Submit Action API Endpoint Request Body Status
Create Invoice (Step 6) POST POST /api/v1/invoices CreateInvoiceRequest COVERED
Send Invoice (Step 6) POST POST /api/v1/invoices/:id/send SendInvoiceRequest COVERED
Add Customer (Wizard Step 1) POST POST /api/v1/contacts CreateContactRequest COVERED
Create Expense (Dialog) POST POST /api/v1/expenses CreateExpenseRequest (multipart) COVERED
Upload Receipt (Expense Dialog) POST POST /api/v1/expenses (multipart receiptFile) File upload COVERED
Update Company Profile PUT PUT /api/v1/organization UpdateOrganizationRequest COVERED
Update Tax Settings PUT PUT /api/v1/settings/tax-rates UpdateTaxRatesRequest COVERED
Invite User POST POST /api/v1/users/invite InviteUserRequest COVERED
Change User Role PUT PUT /api/v1/users/:id/role ChangeRoleRequest COVERED
Import Bank Statement POST POST /api/v1/bank-accounts/:id/import CSV file upload COVERED
Create Manual Transaction POST POST /api/v1/transactions CreateTransactionRequest COVERED
Update Notification Preferences PATCH PATCH /api/v1/settings/notifications NotificationSettings MISSING
Update Security Settings PATCH PATCH /api/v1/settings/security SecuritySettings MISSING
Connect Integration POST POST /api/v1/integrations/:id/connect Integration-specific MISSING
Submit VAT Return POST POST /api/v1/reports/vat/submit SubmitVATRequest MISSING

Coverage Summary

Page Endpoints Required Endpoints Documented Coverage
Dashboard 2 2 100%
Invoices List 6 5 83% (missing DELETE)
Invoice Wizard 6 6 100%
Expenses 7 6 86% (missing receipt download)
Purchases 7 6 86% (same as expenses)
Banking 7 7 100%
Reports Hub 6 6 100%
VAT Report 7 4 57% (missing PDF/XML export, submit)
Settings - Company 2 2 100%
Settings - Users 4 4 100%
Settings - Tax 2 2 100%
Settings - Integrations 3 0 0% (Phase 2)
Settings - Notifications 2 0 0% (missing)
Settings - Security 6 0 0% (missing)
TOTAL 67 50 75%

Missing Endpoints

High Priority (Core Features)

  1. DELETE /api/v1/invoices/:id — Delete invoice (draft only)

    • Reason: Invoice list has delete action

  2. GET /api/v1/expenses/:id/receipt — Download expense receipt

    • Reason: Expense list shows receipt indicator, needs download link

  3. GET /api/v1/reports/vat/export/pdf — VAT report PDF export

    • Reason: VAT report has export button (placeholder currently)

  4. GET /api/v1/reports/vat/export/xml — VAT report XML export (e-filing)

    • Reason: VAT report has export button (placeholder currently)

Medium Priority (Settings)

  1. GET /api/v1/settings/notifications — Get notification preferences

    • Reason: Settings page has notification section with checkboxes

  2. PATCH /api/v1/settings/notifications — Update notification preferences

    • Reason: Settings page has save button for notification preferences

  3. GET /api/v1/settings/security — Get security settings

    • Reason: Settings page has security section (session timeout, password policy)

  4. PATCH /api/v1/settings/security — Update security settings

    • Reason: Settings page has save button for security settings

  5. GET /api/v1/security/audit-log — Audit log

    • Reason: Settings security section has "View Audit Log" button

  6. POST /api/v1/security/data-export — GDPR data export

    • Reason: Settings security section has "Request Data Export" button

  7. DELETE /api/v1/organization — Delete company

    • Reason: Settings security section has "Delete Company" button (danger zone)

  8. POST /api/v1/auth/2fa/enable — Enable 2FA

    • Reason: Settings security section has "Enable 2FA" button

  9. DELETE /api/v1/auth/2fa/disable — Disable 2FA

    • Reason: Settings security section needs disable option if 2FA enabled

Low Priority (Phase 2 Features)

  1. GET /api/v1/integrations — List integrations

    • Reason: Settings integrations section (Phase 2)

  2. POST /api/v1/integrations/:id/connect — Connect integration

    • Reason: Settings integrations section (Phase 2)

  3. DELETE /api/v1/integrations/:id/disconnect — Disconnect integration

    • Reason: Settings integrations section (Phase 2)

  4. POST /api/v1/reports/vat/submit — Submit VAT return

    • Reason: VAT report has submit button (explicitly marked "Coming in Phase 2")

  5. GET /api/v1/bank-accounts/unreconciled-count — Unreconciled transaction count

    • Reason: VAT report Step 1 checks reconciliation status (currently client-side aggregation, could be dedicated endpoint)

Redundant Endpoints

None identified. All endpoints in API-REFERENCE.md are consumed by at least one frontend page.

Recommendations

1. Add Missing Core Endpoints

Priority: HIGH Scope: Endpoints 1-4 from Missing Endpoints list

These are referenced directly in existing UI actions. Without them, users will encounter broken functionality:

Implementation Order:

  1. DELETE /api/v1/invoices/:id (simplest, no business logic)
  2. GET /api/v1/expenses/:id/receipt (file download)
  3. GET /api/v1/reports/vat/export/pdf (report generation + PDF library)
  4. GET /api/v1/reports/vat/export/xml (report generation + XML serialization)

2. Implement Settings Endpoints

Priority: MEDIUM Scope: Endpoints 5-13 from Missing Endpoints list

Settings page is fully implemented with save buttons, but no backend to persist data. Current behavior: console.log() only.

Recommendation: Implement all settings endpoints together in one feature branch. They share similar patterns (GET/PATCH pairs, org-scoped data).

3. Phase 2 Features as Stubs

Priority: LOW Scope: Endpoints 14-18 from Missing Endpoints list

These are explicitly marked as "Phase 2" or "Coming Soon" in the UI. Consider implementing stub endpoints that return:

This allows frontend to gracefully handle the "not yet implemented" state without errors.

4. Add Endpoint: GET /api/v1/bank-accounts/unreconciled-count

Priority: LOW Scope: New endpoint not in API-REFERENCE.md

VAT report Step 1 checks for unreconciled transactions. Currently, frontend must:

  1. Fetch GET /api/v1/bank-accounts (all accounts)
  2. For each account, fetch GET /api/v1/bank-accounts/:id/transactions?reconciled=false
  3. Aggregate counts

Recommendation: Add dedicated endpoint to avoid N+1 query pattern.

// Proposed endpoint
GET /api/v1/bank-accounts/unreconciled-count

Response:
{
  total: number
  byAccount: Array<{
    accountId: string
    accountName: string
    count: number
  }>
}

5. Verify TypeScript Interface Consistency

Priority: MEDIUM

API-REFERENCE.md defines TypeScript interfaces for request/response bodies. Frontend uses these types in forms and state management.

Action Items:

Example:

// packages/types/src/invoice.ts
import { z } from 'zod'

export const CreateInvoiceRequestSchema = z.object({
  customerId: z.string().uuid(),
  invoiceDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  dueDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  currencyCode: z.enum(['EUR', 'RSD', 'BAM', 'HRK']).optional(),
  items: z.array(z.object({
    description: z.string().min(1),
    quantity: z.number().positive(),
    unitPrice: z.number().nonnegative(),
    taxRate: z.number().nonnegative(),
    accountId: z.string().uuid().optional()
  })),
  notes: z.string().optional(),
  terms: z.string().optional()
})

export type CreateInvoiceRequest = z.infer<typeof CreateInvoiceRequestSchema>

Backend uses schema for validation:

// apps/api/src/routes/invoices.ts
import { CreateInvoiceRequestSchema } from '@bilko/types'

router.post('/invoices', async (req, res) => {
  const data = CreateInvoiceRequestSchema.parse(req.body) // Throws if invalid
  // ...
})

Frontend uses type for forms:

// apps/web/app/(dashboard)/invoices/new/page.tsx
import { CreateInvoiceRequest } from '@bilko/types'

const [formData, setFormData] = useState<CreateInvoiceRequest>({...})

6. Authentication Endpoints Missing from Coverage

Priority: HIGH

Frontend has no login/register pages yet, but API-REFERENCE.md defines 5 auth endpoints:

Recommendation: Create auth pages in Phase 2:

7. Error Handling Pattern

Priority: MEDIUM

API-REFERENCE.md defines error response format:

interface ApiError {
  error: string
  code: string
  details?: Record<string, string[]>
}

Recommendation: Create frontend error handling utility:

// lib/api-error.ts
export function handleApiError(error: Response) {
  const apiError: ApiError = await error.json()

  if (apiError.details) {
    // Field-level validation errors
    return Object.entries(apiError.details).map(([field, errors]) => ({
      field,
      message: errors.join(', ')
    }))
  }

  // Generic error
  return { message: apiError.error, code: apiError.code }
}

Use in forms:

try {
  await fetch('/api/v1/invoices', { method: 'POST', body: JSON.stringify(data) })
} catch (error) {
  const errors = handleApiError(error)
  // Display errors in form
}

Implementation Priority Matrix

Endpoint Priority Reason Est. Effort
DELETE /api/v1/invoices/:id HIGH Invoice list delete button 2h
GET /api/v1/expenses/:id/receipt HIGH Receipt download links 3h
GET /api/v1/reports/vat/export/pdf HIGH VAT export button 8h
GET /api/v1/reports/vat/export/xml HIGH VAT e-filing 6h
GET /api/v1/settings/notifications MEDIUM Settings page persistence 3h
PATCH /api/v1/settings/notifications MEDIUM Settings page persistence 2h
GET /api/v1/settings/security MEDIUM Settings page persistence 4h
PATCH /api/v1/settings/security MEDIUM Settings page persistence 3h
GET /api/v1/security/audit-log MEDIUM Audit log viewer 5h
POST /api/v1/security/data-export MEDIUM GDPR compliance 8h
DELETE /api/v1/organization MEDIUM Delete company action 4h
POST /api/v1/auth/2fa/enable MEDIUM 2FA setup 8h
DELETE /api/v1/auth/2fa/disable MEDIUM 2FA removal 2h
GET /api/v1/integrations LOW Phase 2 feature 6h
POST /api/v1/integrations/:id/connect LOW Phase 2 feature 12h
DELETE /api/v1/integrations/:id/disconnect LOW Phase 2 feature 3h
POST /api/v1/reports/vat/submit LOW Phase 2 feature 16h
GET /api/v1/bank-accounts/unreconciled-count LOW Performance optimization 3h

Total Estimated Effort: 98 hours (~12-15 working days for 1 developer)

Suggested Implementation Phases:

Phase 2a (Core Features) — 19h

Phase 2b (Settings Persistence) — 31h

Phase 2c (Integrations + VAT Submit) — 37h

Phase 2d (Polish) — 11h

Conclusion

Overall Coverage: 75% (50 out of 67 required endpoints documented)

API-REFERENCE.md is 75% complete. The 50 documented endpoints cover all core business logic:

Missing 25%:

No redundant endpoints. Every endpoint in API-REFERENCE.md is consumed by at least one frontend page.

Recommendation: Implement Phase 2a (core features, 19h) before beta launch. Settings persistence can follow in Phase 2b after user feedback.

Next Steps:

  1. Review this coverage report with team
  2. Prioritize missing endpoints based on business needs
  3. Update API-REFERENCE.md with missing endpoint specs
  4. Create implementation tickets in Mission Control
  5. Build apps/api/ following API-REFERENCE.md contract
Backend

Bilko Authentication -- Entra External ID (CIAM)

Overview

Bilko uses Microsoft Entra External ID (CIAM) as its sole identity provider. Entra authenticates users; Bilko authorises them. Roles and permissions live exclusively in the Bilko database — no role claims are read from Entra tokens.

Decision anchor (ADR): "Entra authenticates, Bilko authorises; single-role v1; multi-org deferred (MC #103089)."

Stage status: Live on stage (branch stack WP1–WP4, feat/rbac-wp4-retire-legacy-auth commit 3ac1388). Production cutover pending consolidated PR.

Tenant Configuration

FieldValue
Tenant ID20bb17de-9be5-4143-a7e5-8c1ddae6a064
Display nameBilko CIAM
Domainbilkociam.onmicrosoft.com
TypeEntra External ID (CIAM), EU data residency, Norway
BillingMAU — free tier from 2026-06-07
Authority (MSAL)https://bilkociam.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064
Issuer (exact, from OIDC discovery)https://20bb17de-9be5-4143-a7e5-8c1ddae6a064.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064/v2.0
JWKS URIhttps://bilkociam.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064/discovery/v2.0/keys
OIDC discoveryhttps://bilkociam.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064/v2.0/.well-known/openid-configuration

Issuer note: OIDC discovery returns the issuer with the tenant-ID subdomain (20bb17de-...ciamlogin.com), NOT the named subdomain (bilkociam.ciamlogin.com). The Kotlin backend ENTRA_EXTERNAL_ID_ISSUER env var MUST match the discovery value exactly. See evidence: /tmp/evidence-103076/phase0-config.md.

App Registrations

AppClient IDFlowNotes
Bilko API (resource)fe39e0f5-513e-40af-93f0-c3ee624df56cExposes scopeScope: access_as_user; full scope string: api://fe39e0f5-513e-40af-93f0-c3ee624df56c/access_as_user; audience for token validation = client ID; no client secret (resource app)
Bilko Web SPAc2902239-ea63-41bd-8619-6cf096d7d45aPKCE auth code (SPA)Redirects: localhost:3000, stage Cloud Run URL, bilko-demo.alai.no, app.bilko.cloud, app.bilko.io, app.bilko.company (+ /auth/callback variants); no client secret
Bilko Mobile (native)916bb9f3-658d-4729-b5a0-64b1f157c8c2PKCE auth code (native/public)Redirect: com.alai.bilko://auth, msauth.com.alai.bilko://auth; isFallbackPublicClient=true; Expo Go workaround documented in Phase 0 config

Secrets (none exist — all public clients). Non-secret configuration is stored in GCP Secret Manager (bilko-entra-issuer, bilko-entra-audience, bilko-entra-jwks-url) and Bitwarden ("Bilko CIAM Tenant Config").

Token Claims

Bilko JWTs issued after exchange use the internal Bilko user UUID as the subject claim — email is not the identity anchor in issued tokens.

Authentication Flow — Web (MSAL Direct Bearer)

  1. Browser opens login page → MSAL browser (@azure/msal-browser + @azure/msal-react) initiates PKCE auth code flow
  2. Redirect to bilkociam.ciamlogin.com → user authenticates (email/password or social) → Entra issues auth code
  3. MSAL exchanges code for tokens (PKCE, in memory — NOT localStorage)
  4. MSAL acquires access token for scope api://fe39e0f5.../access_as_user
  5. Web sends Authorization: Bearer <entra-access-token> to Kotlin API
  6. Kotlin EntraExternalIdService.verifyIdToken() validates: RS256 signature via live JWKS, issuer exact match, audience = fe39e0f5..., oid claim present, JWKS URL domain-pinned to ciamlogin.com/microsoftonline.com
  7. JIT provisioning or email-match link (see JIT section below) → Bilko session returned
  8. Session cookie (SameSite=Lax, httpOnly) established; subsequent requests use Bilko refresh token
  9. Sign-out calls Entra logout endpoint to invalidate Entra session + clears local cookie

Authentication Flow — Mobile (Token Exchange)

  1. Expo native app initiates PKCE via expo-auth-session / useEntraAuthRequest
  2. Redirect to Entra → auth code returned to com.alai.bilko://auth
  3. MSAL exchanges code; id_token (not access_token) sent to POST /auth/entra/session
  4. Kotlin backend verifies id_token, runs JIT provisioning or link, returns { accessToken, refreshToken }
  5. Tokens stored in SecureStore; TTL aligns with Bilko 7-day refresh token window

JIT Provisioning + Identity Linking

Implemented in AuthService.createSessionFromEntraIdToken() (SERIALIZABLE transaction — martin-kleppmann race-prevention mandate):

  1. Lookup entra_external_identities by issuer + oid. If found: return session.
  2. If not found: email-match lookup in users (case-normalised, lowercase both sides). If unique match and email_verified: insert entra_external_identities row, log audit event entra_jit_link, return session.
  3. If no match: call UserProvisioningService.provisionNewUserForEntra() — creates a new org + user with role viewer + inserts entra_external_identities row. New user must be promoted by an admin.

Design dissent on record (martin-kleppmann + bruce-momjian): email-match JIT is risky if email is mutable or duplicate. Pre-provision by OID (via admin invite or MS Graph export script) is the safer path. JIT email-match is constrained with a serializable transaction as a partial mitigation. The pre-provision script path (D8 in MC #103075) is the recommended path for production migration.

JWKS Cache + Key Rotation

EntraExternalIdService maintains a time-bound JWKS key cache:

Refresh Token Revocation (Known Limitation)

Bilko refresh tokens are 7-day HMAC validated locally. A disabled Entra account remains valid in Bilko for up to 7 days. Open CEO/Securion decision (OC#4 from MC #103075):

Legacy Email/Password — RETIRED (410 Gone)

As of branch feat/rbac-wp4-retire-legacy-auth (commit 3ac1388), the following endpoints return HTTP 410 Gone with body {"code":"ENDPOINT_RETIRED"}:

Kept active: POST /auth/entra/session, POST /auth/refresh, POST /auth/mobile/refresh, POST /auth/2fa/challenge.

Web login page: email/password form removed; Entra primary CTA only. Self-serve register page removed; shows "contact your admin" message. Forgot/reset password redirects to Entra SSPR portal.

Break-glass (first-admin bootstrap): run ./gradlew :apps:api:bootStrapAdmin with BOOTSTRAP_ADMIN_EMAIL + BOOTSTRAP_ADMIN_PASSWORD env vars. Calls AuthService.register() directly; no HTTP endpoint exposed.

Phase 0–4 Deployment Facts

Phase / WPScopeBranchStatus
Phase 0 (MC #103076)CIAM tenant provisioning, 3 app registrations, JWKS verificationFlowForge standaloneDONE — stage live
WP1 (MC #103141)RBAC permissions catalog V67, PermissionService, BilkoPrincipal, requirePermission, 204 matrix testsfeat/rbac-wp1-permissions-catalogDONE — Proveo PARTIAL (integration test fix applied post-verification)
WP2 (MC #103142)JIT provisioning V68, UserProvisioningService, admin/invite API, role-assign endpointfeat/rbac-wp2-user-provisioningDONE — Proveo PASS
WP3 (MC #103143)Web: Entra primary CTA, register retired, forgot/reset SSPR, RBAC admin UIfeat/rbac-wp3-web-entra-uiDONE — Proveo PASS
WP4 (MC #103144)Retire legacy endpoints (410), web login Entra-only, break-glass documentedfeat/rbac-wp4-retire-legacy-authDONE — Proveo PASS
WP5 (MC #103145)E2E: live CIAM token, OID anchor, JIT provision, RBAC enforcement, invalid token rejectionfeat/rbac-wp3-web-entra-uiDONE — PASS (browser MSAL flow deferred to Proveo pre-prod)

Evidence bundles: /tmp/evidence-103141 through /tmp/evidence-103145, /tmp/evidence-103076/phase0-config.md.

Backend

Bilko RBAC -- Users / Roles / Permissions

Overview

Bilko uses a flat RBAC model: users have one role per organisation; roles map to a permission catalog via a DB seed table. Permission resolution is live from the database on every request (no JWT role claim for authorisation). The system was built in WP1 (MC #103141, branch feat/rbac-wp1-permissions-catalog).

Roles

RoleLevelScope
owner3All permissions including billing, account deletion, user management
admin2All permissions except billing and account deletion; can manage users and roles
accountant1Create and manage financial records; cannot delete; cannot manage users
viewer0Read-only access; default for newly JIT-provisioned Entra users

Roles are stored in users.role (VARCHAR 50) with a CHECK constraint added in V67 limiting values to these four. Single role per user per organisation (multi-role/multi-org deferred, MC #103089).

Permissions Catalog (V67 — 52 keys)

Source: apps/api/src/main/resources/db/migration/V67__rbac_permissions_catalog.sql (commit 66629bd). The catalog is stored in the permissions table; all application code references permission keys as string constants.

Format: <resource>:<verb> enforced by a DB CHECK constraint (permission_key_format). Example keys by resource group:

Resource groupExample keys
Invoicesinvoice:read, invoice:create, invoice:update, invoice:delete, invoice:submit
Expensesexpense:read, expense:create, expense:update, expense:delete
Contactscontact:read, contact:create, contact:update, contact:delete
Transactionstransaction:read, transaction:create, transaction:reconcile
Reportsreport:read, report:export
Settings / billingsettings:read, settings:update, billing:read, billing:update
Usersusers:read, users:manage, users:invite
Account adminaccount:delete
Documentsdocument:read, document:upload, document:delete
Articles / productsarticle:read, article:create, article:update, article:delete

Full 52-key baseline stored in: apps/api/src/main/resources/rbac/requireRole-baseline-v67.tsv (commit 0bf18fd, 51 data rows).

Role-to-Permission Seed (Strategy A — Flat Inheritance)

Source: role_permissions table seeded in V67. Each row: (role, permission_key). No runtime inheritance logic — the seed embeds the full flattened set for each role.

RolePermissions countPrinciple
viewer13Read-only: all :read + :export keys
accountant40viewer permissions + create/update on financial resources; no delete, no user management
admin49accountant permissions + delete + user management; no billing:update, no account:delete
owner52All 52 permissions (complete set)

The seed exactly reproduces the behaviour of the legacy requireRole() numeric hierarchy — verified by 204 RbacMatrixTest cases (0 failures). No behaviour regression.

PermissionService — Live DB Resolution

Source: apps/api/src/main/kotlin/no/alai/bilko/services/PermissionService.kt (commit dee4fb1)

BilkoPrincipal + requirePermission

Source: apps/api/src/main/kotlin/no/alai/bilko/auth/BilkoPrincipal.kt and RbacHelper.kt (commit dee4fb1)

Role-to-Permission Matrix

Permission keyvieweraccountantadminowner
invoice:readYYYY
invoice:create-YYY
invoice:update-YYY
invoice:delete--YY
invoice:submit-YYY
expense:readYYYY
expense:create-YYY
expense:delete--YY
users:readYYYY
users:manage--YY
users:invite--YY
billing:read---Y
billing:update---Y
account:delete---Y
settings:readYYYY
settings:update--YY
report:readYYYY
report:exportYYYY
... (52 total)Full catalog in V67 seed

Full read-only matrix visible to admins/owners in the web admin UI at /admin/users (component: lib/permissions.ts ROLE_PERMISSION_MATRIX).

Authorization Audit Log

Source: apps/api/src/main/kotlin/no/alai/bilko/auth/AuthzAuditLogger.kt (commit dee4fb1)

V67/V68 Migration Summary

MigrationContents
V67 (V67__rbac_permissions_catalog.sql)Creates permissions table (52 keys, format CHECK); role_permissions table with full 4-role seed; adds users.role CHECK constraint; GRANT SELECT to bilko_app; no RLS (global catalog)
V68 (V68__rbac_user_provisioning.sql)Adds users:manage and users:invite permission keys; SECURITY DEFINER function bilko_auth.provision_user_with_org(issuer, oid, email, fullName) returning new user UUID; seeds new permissions to admin + owner roles

Test Coverage

Out of Scope (v1)

Backend

Bilko Auth Migration Runbook + Admin Guide

Scope

This runbook covers: (1) how an operator bootstraps the first admin after legacy auth is retired, (2) how an admin creates and invites users, (3) how to assign and change roles, (4) the full user lifecycle via Entra, (5) migration notes from the WP1–WP4 branch stack. For architecture detail see Bilko Authentication — Entra External ID (CIAM).

1. Bootstrapping the First Admin (Break-Glass)

After legacy /auth/register is retired (HTTP 410), there is no HTTP endpoint for creating the first user. Use the Gradle break-glass task:

# Set environment variables (never commit these):
export BOOTSTRAP_ADMIN_EMAIL="admin@yourorg.com"
export BOOTSTRAP_ADMIN_PASSWORD="<strong-temporary-password>"

# Run from the api project root:
cd apps/api
./gradlew :apps:api:bootStrapAdmin

What this does: calls AuthService.register() directly (bypasses HTTP routing), creates an organisation + owner user. No HTTP endpoint is exposed — zero backdoor surface. The temporary password should be rotated immediately via Entra SSPR after the admin first signs in.

Full runbook file: apps/api/docs/runbooks/BREAK-GLASS-BOOTSTRAP.md (on branch feat/rbac-wp4-retire-legacy-auth).

2. Creating / Inviting Users (Admin Flow)

User creation is now admin-gated. Self-serve registration is retired.

Via API

POST /api/v1/admin/users
Authorization: Bearer <admin-or-owner-access-token>

{
  "email": "newuser@example.com",
  "fullName": "Full Name",
  "role": "viewer"        // viewer | accountant | admin | owner
}

Response: HTTP 201 Created — returns the new user object including their UUID. The user receives an invite; they sign in via Entra (JIT provisioning links their Entra identity on first sign-in).

Permission required

users:manage — held by admin and owner roles.

Via Web Admin UI

  1. Sign in as admin or owner
  2. Navigate to Settings > Users (/admin/users)
  3. Click Invite User
  4. Enter email, full name, and select role
  5. Submit — user receives invite email (Entra CIAM invitation flow)

Viewers and accountants see a redirect to the dashboard if they navigate to /admin/users.

3. Assigning / Changing Roles

Via API

PUT /api/v1/users/:id/role
Authorization: Bearer <admin-or-owner-access-token>

{
  "role": "accountant"    // viewer | accountant | admin | owner
}

Constraints enforced:

Via Web Admin UI

  1. Navigate to Settings > Users
  2. Find the user row
  3. Click the role dropdown (visible to admin/owner only)
  4. Select the new role — saved immediately via PUT /users/:id/role

4. User Lifecycle

  1. Admin creates user via POST /admin/users (role = viewer by default, or specified role)
  2. User receives Entra invite (email from bilkociam.onmicrosoft.com)
  3. First sign-in: user clicks Entra sign-in on Bilko web login → authenticates in Entra CIAM → Bilko backend calls createSessionFromEntraIdToken():
    • Looks up entra_external_identities by oid → not found (first login)
    • Email-match lookup → finds pre-created user → inserts entra_external_identities row (JIT link) → audit event entra_jit_link
    • Bilko session returned; user is logged in as viewer
  4. Admin promotes role if needed via PUT /users/:id/role
  5. Subsequent logins: Entra → backend finds entra_external_identities by oid → direct session, no email-match step
  6. Sign-out: MSAL calls Entra logout endpoint → Entra session invalidated → Bilko session cookie cleared → next visit redirects to Entra login

5. What Changed — Migration Notes (WP1–WP4)

AreaBefore (pre-WP1)After (WP1–WP4)
Backend auth enforcementrequireRole("admin") inline in 51+ route handlersrequirePermission("invoice:create") via extension fn; 0 residual requireRole in routes
Permission dataNo tables; hardcoded numeric hierarchy in RbacHelperV67: permissions table (52 keys), role_permissions seed; V68: provisioning function
User provisioningSelf-serve POST /auth/registerAdmin invite (POST /admin/users) + JIT Entra link on first sign-in; UserProvisioningService
Web loginEmail/password form + "Sign in with Microsoft" coexistingEntra-only CTA; no email/password form; register page shows "contact your admin"
Legacy endpointsActive: /auth/login, /auth/register, /auth/forgot-password, /auth/reset-passwordHTTP 410 Gone + ENDPOINT_RETIRED body
Password resetEmail-based reset-password flow (V57 table)Redirect to Entra SSPR portal (self-service via Microsoft account)
RBAC admin UINo UI; role changes required direct DB queryWeb: Settings > Users page with role dropdown (admin/owner only)

6. Branch Stack (WP1–WP4 Stacked PRs)

WPBranchLatest commitKey files
WP1 — RBAC catalogfeat/rbac-wp1-permissions-catalog890168d (last route commit)V67 migration, PermissionService, BilkoPrincipal, RbacHelper, 17 route files migrated
WP2 — Provisioningfeat/rbac-wp2-user-provisioninga9fa67cV68 migration, UserProvisioningService, UserManagementRoutes
WP3 — Web UIfeat/rbac-wp3-web-entra-ui3c1c019login/page.tsx (Entra CTA), register/page.tsx (retired), admin/users/page.tsx, lib/permissions.ts
WP4 — Retire legacyfeat/rbac-wp4-retire-legacy-auth3ac1388AuthRoutes.kt (5 x 410), api.ts (removed methods), auth-store.ts, 13 new web tests

These branches are stacked and NOT yet merged to main. Production cutover requires a consolidated merge PR after CEO/Securion sign-off.

7. Rollback Procedure

If the consolidated deploy to main needs to be rolled back:

  1. Feature flag path (if FEATURE_ENTRA_AUTH_ENABLED env var is present): set to false to re-enable the password auth provider path (AuthProvider interface, D5 in MC #103075)
  2. Hard rollback: revert to the pre-WP1 commit; Flyway handles down-migration if reversible V67/V68 down scripts were authored (check migration files)
  3. password_hash: column was made nullable in V66 but existing rows retain their hash values — password-based login can be re-enabled without data loss during the rollback window
  4. Password reset tokens table (V57): NOT dropped. Must not be dropped until the rollback window closes (minimum 30 days post-production cutover). See D8 plan in MC #103075
  5. Entra disable: if Entra must be disabled urgently, also disable users in Bilko DB to enforce immediate revocation (7-day refresh window caveat — OC#4)

8. Database Schema Reference

TableKey columnsNotes
usersid, organization_id, email, password_hash (nullable), role (CHECK owner|admin|accountant|viewer), two_factor_*V66: password_hash nullable; V67: role CHECK added
entra_external_identitiesissuer, subject (= oid), user_id, last_login_atV64: created; UNIQUE(issuer,subject), UNIQUE(user_id,issuer); RLS: V66
permissionspermission_key (PK, CHECK format)V67: 52 keys; global catalog, no RLS, GRANT SELECT bilko_app
role_permissionsrole, permission_keyV67: exhaustive flat seed; V68: users:manage + users:invite added

Evidence Files

Backend

ADR-037 -- Entra Authenticates, Bilko Authorises; Single-Role v1; Multi-Org Deferred

ADR-037 — Entra Authenticates, Bilko Authorises; Single-Role v1; Multi-Org Deferred

FieldValue
ADR numberADR-037
Date2026-06-08
StatusAccepted
AuthorJohn (AI Director, ALAI Holding AS)
CEO decisionAlem Basic — confirmed 2026-06-07 (CEO resolution addendum, MC #103075)
Related MCsMC #103075 (Entra migration plan), MC #103141–103146 (WP1–WP6 execution), MC #103089 (multi-org, parked)
SupersedesExisting inline requireRole() pattern (pre-WP1)

Context

Bilko had a custom email/password authentication system and a simple numeric role hierarchy (requireRole() inline in route handlers). No permission catalog, no RBAC tables, no admin UI for user management. The CEO decision (June 2026) was to:

  1. Replace email/password authentication with Microsoft Entra External ID (CIAM) — hard REPLACE, not phased coexist
  2. Build a real permission-catalog RBAC system with a DB-backed role-to-permission mapping

Multiple design forks were evaluated by a multi-agent panel (Parisa Tabriz, Martin Kleppmann, Petter Graff, Bruce Momjian, Devils Advocate — MC #103075 forged prompt). Key unresolved tensions: web direct-bearer vs exchange, email-match JIT vs pre-provision-by-oid, roles-in-Entra-claims vs roles-in-Bilko-DB.

Decision

D1 — Identity Provider Boundary

Entra External ID (CIAM) authenticates. Bilko authorises.

D2 — Single Role per User per Organisation (v1)

One role per user per org: owner | admin | accountant | viewer. The role is stored in users.role (single column). Multi-role per user and multi-org membership are explicitly deferred to a separate epic (MC #103089).

Rationale: zero live clients; single-org Entra tenant; keep scope tightly bounded; multi-org requires a organization_members join table and CIAM tenant model decisions that are not yet resolved.

D3 — Permission Catalog in DB; Flat Inheritance Seed

A permissions catalog table (52 keys, resource:verb format enforced by CHECK) and a role_permissions mapping table (V67) replace the inline requireRole() calls. Seed strategy: flat exhaustive rows per role (Strategy A) — no runtime hierarchy derivation. The seed exactly reproduces existing behaviour (no regression — verified by 204 RbacMatrixTest cases).

D4 — Live DB Permission Resolution; Fail-Closed

PermissionService.resolve(role) queries role_permissions at request time. Unknown role resolves to emptySet() (no permissions). BilkoPrincipal carries the resolved permission set. All route-level checks use requirePermission("resource:verb").

D5 — Multi-Org Deferred

Entra CIAM is provisioned as a single tenant. JIT provisioning assigns a new Entra user to one Bilko organisation. Multi-org (one user in multiple orgs) requires: a organization_members join table, per-org permission resolution, and CIAM tenant model decisions. All deferred to MC #103089.

Consequences

Positive

Negative / Trade-offs

Alternatives Considered

AlternativeRejected reason
Roles in Entra claims (Entra app roles)Couples authorisation to IdP; role changes require Entra admin action not Bilko admin action; prevents clean multi-IdP future. Rejected per petter-graff + parisa-tabriz panel consensus.
Phased coexist (email/password + Entra in parallel for 2+ weeks)CEO confirmed hard REPLACE. Panel devils-advocate raised phased coexist as safer; CEO re-confirmed hard REPLACE given zero live users. AuthProvider interface (D5 MC #103075) technically enables a revert if needed.
Denormalised entra_oid on users table (bruce-momjian alternative)Separate-table V64 model kept; enables multi-IdP future; join cost is negligible at current scale. Fork preserved but not resolved — separate-table remains.
ABAC / policy engine (v1)Premature for current scale and requirements; adds complexity; deferred as explicit out-of-scope with comment in plan.

Open Decisions Not Resolved by This ADR

Backend

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Bilko Self-Serve Trial — CIAM Architecture & Auth Pattern

MC: #103232 | Status: LIVE — Proveo 11/11 PASS | Last updated: 2026-06-09 | Securion verdict: LAUNCH WITH CONDITIONS

1. Overview

A prospect navigates to app.bilko.cloud (or bilko-demo.alai.no), clicks "Sign in or create a free account with your email", and completes a Microsoft CIAM Email-OTP sign-up. On first login, the backend JIT-provisions an empty Bilko organisation with a 7-day trial directly on the real production database (bilko-demo-db). There is no separate demo build, no invite-only flow, and no org Microsoft account required — any personal email address works.

The deployment target is the standard bilko-main-deploy semver-tag trigger. Stage and demo share the same Kotlin/Ktor binary and the same database instance (multi-tenant via RLS). The CIAM tenant (bilkociam) is a dedicated Microsoft Entra External ID tenant, completely separate from the Bilko staff Entra tenant.

1.1 Flow diagram

Prospect → app.bilko.cloud/login
         → "Sign in with Microsoft" (MSAL redirect)
         → bilkociam.ciamlogin.com [BilkoSignUpSignIn user flow]
         → Email OTP verification (8-digit code, ~6s delivery)
         → Consent pages (2 pages on first login only)
         → Redirect to app.bilko.cloud/auth/callback
         → MSAL: LOGIN_SUCCESS fires, payload.idToken available
         → POST /auth/entra/session { idToken }   [B1 exchange fix]
         → bilko-api: JWKS RS256 verify → OID lookup → JIT provision
         → Response: Bilko HMAC JWT + org { trialEndsAt }
         → setAuthFromRegistration()              [B1.2 session fix]
         → checkAuth() in-memory JWT fast-path    [B1.3 session fix]
         → /dashboard — empty org, trial active ("Probno: 6 dana preostalo")

2. CIAM Tenant Configuration

PropertyValue
Tenant namebilkociam
Tenant ID20bb17de-9be5-4143-a7e5-8c1ddae6a064
Tenant typeCIAM (Entra External ID)
SPA app nameBilko Web (SPA)
SPA client IDc2902239-ea63-41bd-8619-6cf096d7d45a
API resource app IDfe39e0f5-513e-40af-93f0-c3ee624df56c
Authority URLhttps://20bb17de-9be5-4143-a7e5-8c1ddae6a064.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064/v2.0
OIDC issuersame as authority URL (confirmed via discovery endpoint)

2.1 User flow: BilkoSignUpSignIn

PropertyValue
Flow IDaa86084b-01dc-453f-9e10-679dfefdd824
TypeexternalUsersSelfServiceSignUpEventsFlow
Display nameBilkoSignUpSignIn
Identity providerEmailOtpSignup-OAUTH (Email One Time Passcode)
isSignUpAllowedtrue
userTypeToCreatemember (not guest)
Attributes collectedemail (auto-filled by OTP verification)
Linked appc2902239-ea63-41bd-8619-6cf096d7d45a (Bilko Web SPA)

Authority URL note: Unlike Azure AD B2C, Entra External ID CIAM does not require a user flow policy name suffix in the authority URL. The BilkoSignUpSignIn flow is applied automatically at the tenant level when the SPA app is linked to it. The deployed authority URL requires no changes.

2.2 Registered SPA redirect URIs

2.3 Adding identity providers or attributes

To add social identity providers (Google, Apple) or additional signup attributes (e.g. display name, company name): Microsoft Entra admin centre → External Identities → User flows → BilkoSignUpSignIn → Identity providers / Attributes. No code changes or redeploys are required for attribute-only changes. Adding a social provider requires app registration on the provider side and linking in the CIAM tenant.

3. Auth Flow — The Hard-Won Pattern

This section documents three bugs that were discovered and fixed during Proveo E2E validation (MC #103232 WS-V). The fixes are canonical — do not revert them.

B1 — Token exchange (commit 660f410, tag v0.2.45)

Problem: MSAL's LOGIN_SUCCESS event fires with an Entra access_token (RS256, Microsoft-issued). The original code set this directly as the API Bearer header. The Bilko API validates HMAC256 JWTs only — all calls returned 401.

Fix: After MSAL fires, pass payload.idToken (not payload.accessToken) to a POST /auth/entra/session { idToken } call. The backend verifies the CIAM RS256 idToken via JWKS, looks up or JIT-provisions the user, and returns a Bilko HMAC JWT.

// apps/web/lib/msal/msal-provider.tsx — corrected token selection
const idToken = payload.idToken ?? payload.accessToken
if (idToken) { handleEntraLogin(idToken) }

// apps/web/lib/msal/use-entra-auth.ts — exchange call
const sessionResult = await api.auth.entraSession(idToken)
const bilkoJwt = sessionResult?.tokens?.accessToken
setAccessToken(bilkoJwt)

B1.2 — Session persistence via setAuthFromRegistration (commit e1e31c5, tag v0.2.46)

Problem: After the B1 exchange, checkAuth() was called to hydrate the store. checkAuth() internally calls POST /auth/refresh using the httpOnly refresh-token cookie. The CIAM exchange path does not set a cookie — so /auth/refresh returned 401, which cleared the Bilko JWT and redirected back to /login.

Fix: Replace the checkAuth() call in handleEntraLogin with setAuthFromRegistration(), which hydrates the Zustand auth store directly from the /auth/entra/session response body. No cookie round-trip needed.

// apps/web/lib/msal/use-entra-auth.ts — hydrate from session response
const { setAuthFromRegistration } = useAuthStore.getState()
setAuthFromRegistration({
  user: sessionResult.user,
  organization: sessionResult.organization,
  tokens: { accessToken: bilkoJwt },
})
// Navigate to /dashboard — Bilko JWT is in-memory Bearer

B1.3 — checkAuth in-memory JWT fast-path (commit 30a8c85, tag v0.2.47)

Problem: Even with B1.2, setAuthFromRegistration() in handleEntraLogin correctly set isAuthenticated=true. However, AuthProvider mounts on every protected route and calls checkAuth(). That call hit /auth/refresh (cookie path) → 401 → store reset to unauthenticated → redirect to /login on every page navigation.

Fix: Added an in-memory JWT fast-path at the top of checkAuth() in auth-store.ts. If a Bilko JWT is already in memory (set via the CIAM exchange), checkAuth() uses GET /auth/me with that Bearer token instead of falling through to the cookie-refresh path.

// apps/web/lib/stores/auth-store.ts — in-memory fast-path
checkAuth: async () => {
  const inMemoryToken = getAccessToken()
  if (inMemoryToken) {
    try {
      const me = await api.auth.me()
      set({ isAuthenticated: true, isLoading: false,
            user: { ...me, name: me.fullName },
            organization: me?.organization ?? null })
      return true
    } catch {
      set({ isAuthenticated: false, isLoading: false, user: null, organization: null })
      return false
    }
  }
  // Original cookie-refresh fallback (unchanged — non-CIAM sessions)
  ...
}

ENTRA_EXTERNAL_ID_AUDIENCE — critical build var (fixed in v0.2.47 trigger update)

Problem: The bilko-main-deploy Cloud Build trigger had _ENTRA_EXTERNAL_ID_AUDIENCE set to fe39e0f5 (the API resource app ID). This is wrong — the CIAM idToken audience is the SPA client ID (c2902239), because MSAL requests id_tokens scoped to the requesting app. Every new deploy reverted the Cloud Run env to the wrong value, requiring a manual patch.

Fix: The trigger substitution was updated:

# infrastructure/gcp/cloudbuild.yaml — correct value
_ENTRA_EXTERNAL_ID_AUDIENCE: c2902239-ea63-41bd-8619-6cf096d7d45a   # SPA client ID
# NOT: fe39e0f5-513e-40af-93f0-c3ee624df56c  (that is the API resource app — wrong for idToken aud)

This is now stable in the trigger — it will not revert on future deploys.

4. Backend JIT Provisioning

4.1 Database migrations (Flyway V66–V69)

MigrationPurpose
V66__entra_rls_and_password_nullable.sqlMakes password_hash nullable (Entra-only users have no password). Adds RLS policy on entra_external_identities (FORCE + fail-closed). Adds CHECK constraint: issuer must not end with trailing slash.
V67__rbac_permissions_catalog.sqlRBAC permissions catalog seeding.
V68__rbac_user_provisioning.sqlSECURITY DEFINER function bilko_auth.provision_user_with_org(): creates org (7-day trial, trial_starts_at, trial_ends_at = now() + 7 days), creates user (role='viewer', password_hash=NULL), inserts entra_external_identities row (issuer, OID, user_id). Default: country='BA', currency='BAM'.
V69__fix_provision_rls.sqlRLS fix: calls set_config('app.current_org_id', v_org_id, true) before the users INSERT so that RLS policies on the users table pass during JIT provisioning.

4.2 JIT provisioning call flow

POST /auth/entra/session { idToken }
  → EntraExternalIdService.verifyIdToken()         [RS256, JWKS, issuer+audience+exp]
  → AuthUserRepository.findByEntraIdentity(issuer, oid)  → null (new user)
  → AuthUserRepository.findByEmail(email)                → null (no existing Bilko account)
  → UserProvisioningService.provisionNewUserForEntra()
      → bilko_auth.provision_user_with_org()  [SECURITY DEFINER, SERIALIZABLE]
          → INSERT organizations (trial 7 days)
          → INSERT users (role=viewer, password=null)
          → INSERT entra_external_identities (issuer, oid)
  → jwtService.signAccessToken(userId, email, role='viewer', orgId)
  → Response: { user, organization { trialEndsAt }, tokens { accessToken, refreshToken } }

Idempotency: Re-login with the same OID returns the existing user and org; trial end date is not reset. The entra_external_identities table has a UNIQUE constraint on (issuer, subject).

4.3 trialEndsAt in /auth/me

The GET /auth/me response includes organization.trialEndsAt (ISO 8601). The frontend auth store exposes this on the Organization interface. The trial expiry is enforced server-side by TrialGatePlugin which queries the DB on every gated request — the JWT does not embed expiry.

4.4 RLS isolation

All JIT-provisioned tenants are isolated via PostgreSQL Row Level Security. The app.current_org_id session variable is set by OrgScopePlugin from the BilkoPrincipal (JWT-derived, not from any HTTP header). orgTransaction() uses SET LOCAL scoped to the transaction — connection pool does not carry state between requests. Cross-tenant isolation is verified by RlsOrgIsolationV46IntegrationTest.

5. Deploy

PropertyValue
Deploy triggerbilko-main-deploy (europe-north1, project tribal-sign-487920-k0)
Trigger typesemver tag on main: git tag vX.Y.Z && git push origin vX.Y.Z
Configinfrastructure/gcp/cloudbuild.yaml
Current live tagv0.2.47 (commit 30a8c85)
Web revisionbilko-web-demo-00080-tq5
API revisionbilko-api-demo-00155-524
CIAM env vars in triggerNEXT_PUBLIC_ENTRA_CLIENT_ID, NEXT_PUBLIC_ENTRA_AUTHORITY, NEXT_PUBLIC_ENTRA_SCOPE, ENTRA_EXTERNAL_ID_ISSUER, ENTRA_EXTERNAL_ID_AUDIENCE (= c2902239), ENTRA_EXTERNAL_ID_JWKS_URL

ZAKON PI2: Do not run cloudbuild.yaml manually. Use git tag + git push origin only. The stage pipeline (bilko-stage-auto-deploy) fires on every push to main and is unrelated to the demo deploy.

6. Known Follow-Ups

IDPriorityDescription
H1 HIGH — must-fix before scale launch Abuse gate (MC #103245): JIT provisioning has no server-side rate gate on tenant creation. An attacker with many email inboxes can script CIAM sign-ups (each requires a real OTP but automation services exist). Fix: add a platform-level provision rate gate in UserProvisioningService.provisionNewUserForEntra() (max N JIT orgs per hour) + CIAM tenant configuration to block disposable email domains.
B3 MEDIUM Migadu email OTP blocking: Migadu (one.com), used for @alai.no, blocks Microsoft Azure CIAM OTP emails. Prospects with Gmail or Outlook receive OTP in ~6 seconds. Alai staff using @alai.no addresses cannot sign up. Fix: whitelist accountprotection.microsoft.com sender in Migadu SPF settings, or configure a custom CIAM email sender domain.
UX-1 LOW Org display name: JIT-provisioned orgs are named "unknown's Organization" (no display name collected at signup). The user flow only collects email. Fix: add displayName to the BilkoSignUpSignIn attribute collection (Azure config, no code change), or collect it on first post-login screen.
UX-2 LOW Default country/currency: JIT-provisioned org defaults to country='BA', currency='BAM'. Prospects outside Bosnia must update via Settings. A country selection step at signup would improve the onboarding experience (follow-on, not a blocker).
M1 MEDIUM INGRESS_TRAFFIC_ALL (MC #99924): Direct *.run.app access bypasses GCLB, which degrades IP-based rate limiting to per-GFE-region keying. Pre-existing risk, not introduced by CIAM. Fix: lock ingress to internal-only when load balancer is provisioned.
M3 MEDIUM No alert on rapid tenant creation: Add a GCP Cloud Monitoring alert triggering when more than N organisations are JIT-provisioned per hour.

7. Validation Evidence

Proveo — 11/11 PASS (v0.2.47, 2026-06-09T02:55Z)

Real Gmail sign-up (alembasic@gmail.com) end-to-end on bilko-demo.alai.no:

StepResultDetails
1PASSSelf-serve copy present; "Contact your administrator" absent
2PASS"Sign in with Microsoft" → ciamlogin.com (tenant 20bb17de) redirect
3PASSEmail entered on CIAM; OTP sent immediately
4PASSReturning user — OTP sent directly (no create-account needed)
5PASS8-digit OTP (17717965) received via Gmail UID:75644 in 7 seconds
6PASSRedirect back to bilko-demo.alai.no/dashboard
7PASSPOST /auth/entra/session → 200, Bilko HMAC JWT, org 4e96b6ff confirmed
8PASS/dashboard with trial UI ("Probno: 6 dana preostalo"), /auth/me → 200 + trialEndsAt 2026-06-15
9PASS/invoices via SPA nav — empty org (0 invoices), session alive
10PASS/invoices/new — invoice form visible, trial tenant usable
11PASSRegression clear — admin wall absent, self-serve copy confirmed

Zero /auth/refresh calls during SPA navigation after B1.3 fix (confirmed by network capture count=0). Cross-tenant RLS: org 4e96b6ff shows 0 invoices and 0 BAM balances (no data from other tenants).

Securion — LAUNCH WITH CONDITIONS

8. DEPLOY-MAP Reference

The CIAM substitutions live in infrastructure/gcp/cloudbuild.yaml under the bilko-main-deploy trigger. The Cloudflare Turnstile entries in DEPLOY-MAP.md cover the marketing landing forms and are unrelated to the CIAM auth flow. No DEPLOY-MAP.md changes are required for the CIAM self-serve trial feature — the trigger substitutions are already updated.

Do not add CIAM secrets to the DEPLOY-MAP secrets table — these are build-time substitutions injected directly from the trigger, not GCP Secret Manager secrets.

9. Environment Variables Reference

VariableServiceCorrect value note
NEXT_PUBLIC_ENTRA_CLIENT_IDbilko-web-demo (build-time)c2902239-ea63-41bd-8619-6cf096d7d45a (SPA app)
NEXT_PUBLIC_ENTRA_AUTHORITYbilko-web-demo (build-time)https://[tenant-id].ciamlogin.com/[tenant-id]/v2.0 — no user flow suffix needed
NEXT_PUBLIC_ENTRA_SCOPEbilko-web-demo (build-time)api://fe39e0f5.../access_as_user
ENTRA_EXTERNAL_ID_ISSUERbilko-api-demohttps://[tenant-id].ciamlogin.com/[tenant-id]/v2.0
ENTRA_EXTERNAL_ID_AUDIENCEbilko-api-democ2902239-ea63-41bd-8619-6cf096d7d45a (SPA client ID — NOT the API resource ID)
ENTRA_EXTERNAL_ID_JWKS_URLbilko-api-demohttps://[tenant-id].ciamlogin.com/[tenant-id]/discovery/v2.0/keys

Critical: ENTRA_EXTERNAL_ID_AUDIENCE must be the SPA client ID (c2902239), not the API resource app ID. MSAL requests id_tokens with the SPA client as audience. If set to the API app ID, the backend rejects every CIAM idToken with audience mismatch.

Page created by Skillforge (MC #103232 WS-D, 2026-06-09). Source evidence: /tmp/evidence-103232/. Validation: Proveo 11/11 PASS + Securion LAUNCH WITH CONDITIONS.

Backend

Bilko Self-Serve Trial — CIAM Architecture and Auth Pattern (MC #103232)

Bilko Self-Serve Trial — CIAM Architecture & Auth Pattern

MC: #103232 | Status: LIVE — Proveo 11/11 PASS | Last updated: 2026-06-09 | Securion verdict: LAUNCH WITH CONDITIONS

1. Overview

A prospect navigates to app.bilko.cloud (or bilko-demo.alai.no), clicks "Sign in or create a free account with your email", and completes a Microsoft CIAM Email-OTP sign-up. On first login, the backend JIT-provisions an empty Bilko organisation with a 7-day trial directly on the real production database (bilko-demo-db). There is no separate demo build, no invite-only flow, and no org Microsoft account required — any personal email address works.

The deployment target is the standard bilko-main-deploy semver-tag trigger. Stage and demo share the same Kotlin/Ktor binary and the same database instance (multi-tenant via RLS). The CIAM tenant (bilkociam) is a dedicated Microsoft Entra External ID tenant, completely separate from the Bilko staff Entra tenant.

1.1 Flow diagram

Prospect → app.bilko.cloud/login
         → "Sign in with Microsoft" (MSAL redirect)
         → bilkociam.ciamlogin.com [BilkoSignUpSignIn user flow]
         → Email OTP verification (8-digit code, ~6s delivery)
         → Consent pages (2 pages on first login only)
         → Redirect to app.bilko.cloud/auth/callback
         → MSAL: LOGIN_SUCCESS fires, payload.idToken available
         → POST /auth/entra/session { idToken }   [B1 exchange fix]
         → bilko-api: JWKS RS256 verify → OID lookup → JIT provision
         → Response: Bilko HMAC JWT + org { trialEndsAt }
         → setAuthFromRegistration()              [B1.2 session fix]
         → checkAuth() in-memory JWT fast-path    [B1.3 session fix]
         → /dashboard — empty org, trial active ("Probno: 6 dana preostalo")

2. CIAM Tenant Configuration

PropertyValue
Tenant namebilkociam
Tenant ID20bb17de-9be5-4143-a7e5-8c1ddae6a064
Tenant typeCIAM (Entra External ID)
SPA app nameBilko Web (SPA)
SPA client IDc2902239-ea63-41bd-8619-6cf096d7d45a
API resource app IDfe39e0f5-513e-40af-93f0-c3ee624df56c
Authority URLhttps://20bb17de-9be5-4143-a7e5-8c1ddae6a064.ciamlogin.com/20bb17de-9be5-4143-a7e5-8c1ddae6a064/v2.0
OIDC issuersame as authority URL (confirmed via discovery endpoint)

2.1 User flow: BilkoSignUpSignIn

PropertyValue
Flow IDaa86084b-01dc-453f-9e10-679dfefdd824
TypeexternalUsersSelfServiceSignUpEventsFlow
Display nameBilkoSignUpSignIn
Identity providerEmailOtpSignup-OAUTH (Email One Time Passcode)
isSignUpAllowedtrue
userTypeToCreatemember (not guest)
Attributes collectedemail (auto-filled by OTP verification)
Linked appc2902239-ea63-41bd-8619-6cf096d7d45a (Bilko Web SPA)

Authority URL note: Unlike Azure AD B2C, Entra External ID CIAM does not require a user flow policy name suffix in the authority URL. The BilkoSignUpSignIn flow is applied automatically at the tenant level when the SPA app is linked to it. The deployed authority URL requires no changes.

2.2 Registered SPA redirect URIs

2.3 Adding identity providers or attributes

To add social identity providers (Google, Apple) or additional signup attributes (e.g. display name, company name): Microsoft Entra admin centre → External Identities → User flows → BilkoSignUpSignIn → Identity providers / Attributes. No code changes or redeploys are required for attribute-only changes. Adding a social provider requires app registration on the provider side and linking in the CIAM tenant.

3. Auth Flow — The Hard-Won Pattern

This section documents three bugs that were discovered and fixed during Proveo E2E validation (MC #103232 WS-V). The fixes are canonical — do not revert them.

B1 — Token exchange (commit 660f410, tag v0.2.45)

Problem: MSAL's LOGIN_SUCCESS event fires with an Entra access_token (RS256, Microsoft-issued). The original code set this directly as the API Bearer header. The Bilko API validates HMAC256 JWTs only — all calls returned 401.

Fix: After MSAL fires, pass payload.idToken (not payload.accessToken) to a POST /auth/entra/session { idToken } call. The backend verifies the CIAM RS256 idToken via JWKS, looks up or JIT-provisions the user, and returns a Bilko HMAC JWT.

// apps/web/lib/msal/msal-provider.tsx — corrected token selection
const idToken = payload.idToken ?? payload.accessToken
if (idToken) { handleEntraLogin(idToken) }

// apps/web/lib/msal/use-entra-auth.ts — exchange call
const sessionResult = await api.auth.entraSession(idToken)
const bilkoJwt = sessionResult?.tokens?.accessToken
setAccessToken(bilkoJwt)

B1.2 — Session persistence via setAuthFromRegistration (commit e1e31c5, tag v0.2.46)

Problem: After the B1 exchange, checkAuth() was called to hydrate the store. checkAuth() internally calls POST /auth/refresh using the httpOnly refresh-token cookie. The CIAM exchange path does not set a cookie — so /auth/refresh returned 401, which cleared the Bilko JWT and redirected back to /login.

Fix: Replace the checkAuth() call in handleEntraLogin with setAuthFromRegistration(), which hydrates the Zustand auth store directly from the /auth/entra/session response body. No cookie round-trip needed.

// apps/web/lib/msal/use-entra-auth.ts — hydrate from session response
const { setAuthFromRegistration } = useAuthStore.getState()
setAuthFromRegistration({
  user: sessionResult.user,
  organization: sessionResult.organization,
  tokens: { accessToken: bilkoJwt },
})
// Navigate to /dashboard — Bilko JWT is in-memory Bearer

B1.3 — checkAuth in-memory JWT fast-path (commit 30a8c85, tag v0.2.47)

Problem: Even with B1.2, setAuthFromRegistration() in handleEntraLogin correctly set isAuthenticated=true. However, AuthProvider mounts on every protected route and calls checkAuth(). That call hit /auth/refresh (cookie path) → 401 → store reset to unauthenticated → redirect to /login on every page navigation.

Fix: Added an in-memory JWT fast-path at the top of checkAuth() in auth-store.ts. If a Bilko JWT is already in memory (set via the CIAM exchange), checkAuth() uses GET /auth/me with that Bearer token instead of falling through to the cookie-refresh path.

// apps/web/lib/stores/auth-store.ts — in-memory fast-path
checkAuth: async () => {
  const inMemoryToken = getAccessToken()
  if (inMemoryToken) {
    try {
      const me = await api.auth.me()
      set({ isAuthenticated: true, isLoading: false,
            user: { ...me, name: me.fullName },
            organization: me?.organization ?? null })
      return true
    } catch {
      set({ isAuthenticated: false, isLoading: false, user: null, organization: null })
      return false
    }
  }
  // Original cookie-refresh fallback (unchanged — non-CIAM sessions)
  ...
}

ENTRA_EXTERNAL_ID_AUDIENCE — critical build var (fixed in v0.2.47 trigger update)

Problem: The bilko-main-deploy Cloud Build trigger had _ENTRA_EXTERNAL_ID_AUDIENCE set to fe39e0f5 (the API resource app ID). This is wrong — the CIAM idToken audience is the SPA client ID (c2902239), because MSAL requests id_tokens scoped to the requesting app. Every new deploy reverted the Cloud Run env to the wrong value, requiring a manual patch.

Fix: The trigger substitution was updated:

# infrastructure/gcp/cloudbuild.yaml — correct value
_ENTRA_EXTERNAL_ID_AUDIENCE: c2902239-ea63-41bd-8619-6cf096d7d45a   # SPA client ID
# NOT: fe39e0f5-513e-40af-93f0-c3ee624df56c  (that is the API resource app — wrong for idToken aud)

This is now stable in the trigger — it will not revert on future deploys.

4. Backend JIT Provisioning

4.1 Database migrations (Flyway V66–V69)

MigrationPurpose
V66__entra_rls_and_password_nullable.sqlMakes password_hash nullable (Entra-only users have no password). Adds RLS policy on entra_external_identities (FORCE + fail-closed). Adds CHECK constraint: issuer must not end with trailing slash.
V67__rbac_permissions_catalog.sqlRBAC permissions catalog seeding.
V68__rbac_user_provisioning.sqlSECURITY DEFINER function bilko_auth.provision_user_with_org(): creates org (7-day trial, trial_starts_at, trial_ends_at = now() + 7 days), creates user (role='viewer', password_hash=NULL), inserts entra_external_identities row (issuer, OID, user_id). Default: country='BA', currency='BAM'.
V69__fix_provision_rls.sqlRLS fix: calls set_config('app.current_org_id', v_org_id, true) before the users INSERT so that RLS policies on the users table pass during JIT provisioning.

4.2 JIT provisioning call flow

POST /auth/entra/session { idToken }
  → EntraExternalIdService.verifyIdToken()         [RS256, JWKS, issuer+audience+exp]
  → AuthUserRepository.findByEntraIdentity(issuer, oid)  → null (new user)
  → AuthUserRepository.findByEmail(email)                → null (no existing Bilko account)
  → UserProvisioningService.provisionNewUserForEntra()
      → bilko_auth.provision_user_with_org()  [SECURITY DEFINER, SERIALIZABLE]
          → INSERT organizations (trial 7 days)
          → INSERT users (role=viewer, password=null)
          → INSERT entra_external_identities (issuer, oid)
  → jwtService.signAccessToken(userId, email, role='viewer', orgId)
  → Response: { user, organization { trialEndsAt }, tokens { accessToken, refreshToken } }

Idempotency: Re-login with the same OID returns the existing user and org; trial end date is not reset. The entra_external_identities table has a UNIQUE constraint on (issuer, subject).

4.3 trialEndsAt in /auth/me

The GET /auth/me response includes organization.trialEndsAt (ISO 8601). The frontend auth store exposes this on the Organization interface. The trial expiry is enforced server-side by TrialGatePlugin which queries the DB on every gated request — the JWT does not embed expiry.

4.4 RLS isolation

All JIT-provisioned tenants are isolated via PostgreSQL Row Level Security. The app.current_org_id session variable is set by OrgScopePlugin from the BilkoPrincipal (JWT-derived, not from any HTTP header). orgTransaction() uses SET LOCAL scoped to the transaction — connection pool does not carry state between requests. Cross-tenant isolation is verified by RlsOrgIsolationV46IntegrationTest.

5. Deploy

PropertyValue
Deploy triggerbilko-main-deploy (europe-north1, project tribal-sign-487920-k0)
Trigger typesemver tag on main: git tag vX.Y.Z && git push origin vX.Y.Z
Configinfrastructure/gcp/cloudbuild.yaml
Current live tagv0.2.47 (commit 30a8c85)
Web revisionbilko-web-demo-00080-tq5
API revisionbilko-api-demo-00155-524
CIAM env vars in triggerNEXT_PUBLIC_ENTRA_CLIENT_ID, NEXT_PUBLIC_ENTRA_AUTHORITY, NEXT_PUBLIC_ENTRA_SCOPE, ENTRA_EXTERNAL_ID_ISSUER, ENTRA_EXTERNAL_ID_AUDIENCE (= c2902239), ENTRA_EXTERNAL_ID_JWKS_URL

ZAKON PI2: Do not run cloudbuild.yaml manually. Use git tag + git push origin only. The stage pipeline (bilko-stage-auto-deploy) fires on every push to main and is unrelated to the demo deploy.

6. Known Follow-Ups

IDPriorityDescription
H1 HIGH — must-fix before scale launch Abuse gate (MC #103245): JIT provisioning has no server-side rate gate on tenant creation. An attacker with many email inboxes can script CIAM sign-ups (each requires a real OTP but automation services exist). Fix: add a platform-level provision rate gate in UserProvisioningService.provisionNewUserForEntra() (max N JIT orgs per hour) + CIAM tenant configuration to block disposable email domains.
B3 MEDIUM Migadu email OTP blocking: Migadu (one.com), used for @alai.no, blocks Microsoft Azure CIAM OTP emails. Prospects with Gmail or Outlook receive OTP in ~6 seconds. Alai staff using @alai.no addresses cannot sign up. Fix: whitelist accountprotection.microsoft.com sender in Migadu SPF settings, or configure a custom CIAM email sender domain.
UX-1 LOW Org display name: JIT-provisioned orgs are named "unknown's Organization" (no display name collected at signup). The user flow only collects email. Fix: add displayName to the BilkoSignUpSignIn attribute collection (Azure config, no code change), or collect it on first post-login screen.
UX-2 LOW Default country/currency: JIT-provisioned org defaults to country='BA', currency='BAM'. Prospects outside Bosnia must update via Settings. A country selection step at signup would improve the onboarding experience (follow-on, not a blocker).
M1 MEDIUM INGRESS_TRAFFIC_ALL (MC #99924): Direct *.run.app access bypasses GCLB, which degrades IP-based rate limiting to per-GFE-region keying. Pre-existing risk, not introduced by CIAM. Fix: lock ingress to internal-only when load balancer is provisioned.
M3 MEDIUM No alert on rapid tenant creation: Add a GCP Cloud Monitoring alert triggering when more than N organisations are JIT-provisioned per hour.

7. Validation Evidence

Proveo — 11/11 PASS (v0.2.47, 2026-06-09T02:55Z)

Real Gmail sign-up (alembasic@gmail.com) end-to-end on bilko-demo.alai.no:

StepResultDetails
1PASSSelf-serve copy present; "Contact your administrator" absent
2PASS"Sign in with Microsoft" → ciamlogin.com (tenant 20bb17de) redirect
3PASSEmail entered on CIAM; OTP sent immediately
4PASSReturning user — OTP sent directly (no create-account needed)
5PASS8-digit OTP (17717965) received via Gmail UID:75644 in 7 seconds
6PASSRedirect back to bilko-demo.alai.no/dashboard
7PASSPOST /auth/entra/session → 200, Bilko HMAC JWT, org 4e96b6ff confirmed
8PASS/dashboard with trial UI ("Probno: 6 dana preostalo"), /auth/me → 200 + trialEndsAt 2026-06-15
9PASS/invoices via SPA nav — empty org (0 invoices), session alive
10PASS/invoices/new — invoice form visible, trial tenant usable
11PASSRegression clear — admin wall absent, self-serve copy confirmed

Zero /auth/refresh calls during SPA navigation after B1.3 fix (confirmed by network capture count=0). Cross-tenant RLS: org 4e96b6ff shows 0 invoices and 0 BAM balances (no data from other tenants).

Securion — LAUNCH WITH CONDITIONS

8. DEPLOY-MAP Reference

The CIAM substitutions live in infrastructure/gcp/cloudbuild.yaml under the bilko-main-deploy trigger. The Cloudflare Turnstile entries in DEPLOY-MAP.md cover the marketing landing forms and are unrelated to the CIAM auth flow. No DEPLOY-MAP.md changes are required for the CIAM self-serve trial feature — the trigger substitutions are already updated.

Do not add CIAM secrets to the DEPLOY-MAP secrets table — these are build-time substitutions injected directly from the trigger, not GCP Secret Manager secrets.

9. Environment Variables Reference

VariableServiceCorrect value note
NEXT_PUBLIC_ENTRA_CLIENT_IDbilko-web-demo (build-time)c2902239-ea63-41bd-8619-6cf096d7d45a (SPA app)
NEXT_PUBLIC_ENTRA_AUTHORITYbilko-web-demo (build-time)https://[tenant-id].ciamlogin.com/[tenant-id]/v2.0 — no user flow suffix needed
NEXT_PUBLIC_ENTRA_SCOPEbilko-web-demo (build-time)api://fe39e0f5.../access_as_user
ENTRA_EXTERNAL_ID_ISSUERbilko-api-demohttps://[tenant-id].ciamlogin.com/[tenant-id]/v2.0
ENTRA_EXTERNAL_ID_AUDIENCEbilko-api-democ2902239-ea63-41bd-8619-6cf096d7d45a (SPA client ID — NOT the API resource ID)
ENTRA_EXTERNAL_ID_JWKS_URLbilko-api-demohttps://[tenant-id].ciamlogin.com/[tenant-id]/discovery/v2.0/keys

Critical: ENTRA_EXTERNAL_ID_AUDIENCE must be the SPA client ID (c2902239), not the API resource app ID. MSAL requests id_tokens with the SPA client as audience. If set to the API app ID, the backend rejects every CIAM idToken with audience mismatch.

Page created by Skillforge (MC #103232 WS-D, 2026-06-09). Source evidence: /tmp/evidence-103232/. Validation: Proveo 11/11 PASS + Securion LAUNCH WITH CONDITIONS.

Testing & QA

Testing & QA

Test Plan

Bilko — Test Plan

Version: 1.0 Date: 2026-02-23 Project ID: bbd77cc0 Status: Current — reflects actual codebase and target testing strategy as of 2026-02-23

Table of Contents

  1. Test Philosophy
  2. Unit Test Strategy
  3. Integration Test Strategy
  4. End-to-End Test Strategy
  5. Accounting Scenario Tests
  6. Regulatory Compliance Tests
  7. Performance Benchmarks
  8. Security Tests
  9. Test Infrastructure
  10. Test Coverage Targets

1. Test Philosophy

1.1 Existing Tests

The @bilko/core package has unit tests written with Vitest:

Test File Coverage
packages/core/tests/accounting.test.ts validateDoubleEntry, createJournalEntry, calculateTrialBalance
packages/core/tests/tax.test.ts calculateVAT, getDefaultVATRate, getVATRates, calculateNetFromGross, calculateCIT
packages/core/tests/multi-currency.test.ts convertCurrency, lockExchangeRate, calculateForexGainLoss
packages/core/tests/invoicing.test.ts Invoice calculation helpers
packages/core/tests/chart-of-accounts.test.ts Chart structure validation

1.2 Test Pyramid

          ┌─────────┐
          │   E2E   │  ← Fewer, slower, critical user flows
          │  Tests  │
          └────┬────┘
          ┌────┴────┐
          │  Integ  │  ← API endpoints with real test DB
          │  Tests  │
          └────┬────┘
     ┌─────────┴──────────┐
     │     Unit Tests     │  ← Core engine, services, validators (fast, many)
     └────────────────────┘

graph TD
    subgraph PYRAMID["Bilko Test Pyramid"]
        E2E["E2E Tests — 10%<br/>Playwright<br/>5 critical flows<br/>Staging environment<br/>~60s per test"]
        INT["Integration Tests — 30%<br/>Supertest + Vitest<br/>Real PostgreSQL<br/>API endpoints<br/>~5s per test"]
        UNIT["Unit Tests — 60%<br/>Vitest<br/>@bilko/core engine<br/>Pure functions<br/>~50ms per test"]
    end

    E2E --> INT
    INT --> UNIT

    UNIT --> U1["accounting.test.ts"]
    UNIT --> U2["tax.test.ts"]
    UNIT --> U3["multi-currency.test.ts"]
    UNIT --> U4["bank-import.test.ts"]
    UNIT --> U5["chart-of-accounts.test.ts"]

    INT --> I1["auth.test.ts"]
    INT --> I2["invoices.test.ts"]
    INT --> I3["expenses.test.ts"]
    INT --> I4["reports.test.ts"]
    INT --> I5["isolation.test.ts"]

    E2E --> E1["invoice-lifecycle.spec.ts"]
    E2E --> E2["expense-flow.spec.ts"]
    E2E --> E3["bank-reconciliation.spec.ts"]
    E2E --> E4["reports.spec.ts"]
    E2E --> E5["auth.spec.ts"]

    style PYRAMID fill:#f8f9fa,stroke:#dee2e6
    style E2E fill:#dc3545,color:#fff,stroke:#c82333
    style INT fill:#fd7e14,color:#fff,stroke:#e8690b
    style UNIT fill:#198754,color:#fff,stroke:#157347

1.3 Non-Negotiable Rules

  1. Money is never JavaScript number — all monetary tests use Decimal.js or string assertions
  2. Double-entry always balanced — every test that creates a financial transaction verifies debit = credit
  3. Organization isolation — cross-org data access must be impossible (tested explicitly)
  4. Immutability — locked transactions cannot be modified (must throw/fail)
  5. Audit trail — mutations must create LoggedAction entries (tested in integration)

2. Unit Test Strategy

Framework: Vitest (already configured in packages/core/vitest.config.ts) Run: cd packages/core && npx vitest

2.1 Core Accounting Engine (@bilko/core)

accounting/index.ts — Double-Entry Engine

File: packages/core/tests/accounting.test.ts (EXISTS)

Test Case Assertion
Balanced entry: debit = credit validateDoubleEntry returns true
Unbalanced entry: debit ≠ credit Returns false
Less than 2 lines Returns false
Negative amounts Returns false
Zero amounts Returns false
Multiple lines summing to balanced Returns true
Decimal amounts with 4dp precision Returns true
createJournalEntry with valid data Returns entry unchanged
Missing description Throws "must have a description"
Missing date Throws "must have a date"
Unbalanced amounts in error message Error shows actual debit/credit totals
calculateTrialBalance from balanced entries isBalanced = true, sums correct
calculateTrialBalance groups by account number Same account accumulated correctly
calculateTrialBalance empty input isBalanced = true, empty rows
calculateTrialBalance sorts by account number Rows sorted ascending

Additional tests needed:

describe('Immutable transaction locking', () => {
  it('locked transactions cannot have amount changed');
  it('locked transactions cannot change debit/credit accounts');
  it('locked = true after period close');
});

tax/index.ts — VAT/CIT Calculator

File: packages/core/tests/tax.test.ts (EXISTS)

Test Case Assertion
Serbia PDV 20% on 1000 base=1000, tax=200, total=1200
BiH PDV 17% on 1000 base=1000, tax=170, total=1170
Croatia PDV 25% on 1000 base=1000, tax=250, total=1250
Zero rate tax=0, total=base
Decimal base amounts (123.45 at 20%) tax=24.69, total=148.14
Negative amount Throws "non-negative"
Negative rate Throws "non-negative"
Large amounts (999,999,999.9999) No precision loss
Decimal input accepted Same result as string
getDefaultVATRate('RS') Returns 20
getDefaultVATRate('BA') Returns 17
getDefaultVATRate('HR') Returns 25
Unsupported country Throws "Unsupported country"
getVATRates('RS') 3 rates: 20, 10, 0
getVATRates('BA') 2 rates: 17, 0
getVATRates('HR') 3 rates: 25, 13, 0
Returns copies (immutable) Mutation doesn't affect originals
Reverse VAT (BiH 1170 gross) base≈1000, tax≈170
CIT at 15% 100000 → 15000

Additional tests needed (country modules):

// packages/country-rs/src/tax/index.ts
describe('Serbian tax specifics', () => {
  it('calculateSerbianPDV standard 20%');
  it('calculateSerbianPDV reduced 10%');
  it('calculateSerbianPDV zero rate');
  it('calculateSerbianCIT 15% flat');
  it('qualifiesForPausalRegime: revenue < 6M RSD → true');
  it('qualifiesForPausalRegime: revenue >= 6M RSD → false');
  it('requiresVATRegistration: revenue >= 8M RSD → true');
  it('requiresVATRegistration: revenue < 8M RSD → false');
});

// packages/country-ba/src/tax/index.ts
describe('Bosnian tax specifics', () => {
  it('calculateBosnianPDV single 17% rate');
  it('calculateCITFBiH 10%');
  it('calculateCITRS 10%');
  it('calculateDividendWHT FBiH: dividends 5%');
  it('calculateDividendWHT RS: dividends 10%');
  it('requiresVATRegistration: >= 100000 BAM → true');
});

// packages/country-hr/src/tax/index.ts
describe('Croatian tax specifics', () => {
  it('calculateCroatianPDV standard 25%');
  it('calculateCroatianPDV reduced 13%');
  it('calculateCroatianPDV superReduced 5%');
  it('calculateCroatianCIT: revenue < 1M EUR → 10%');
  it('calculateCroatianCIT: revenue >= 1M EUR → 18%');
  it('qualifiesForPausalni: revenue < 60000 EUR → true');
  it('requiresVATRegistration: revenue >= 60000 EUR → true');
});

multi-currency/index.ts — Currency Conversion

File: packages/core/tests/multi-currency.test.ts (EXISTS)

Test Case Assertion
Same currency Rate = 1, no conversion
RSD to EUR at rate 0.0086 Correct base amount
lockExchangeRate returns ExchangeRate object Correct fields
lockExchangeRate same currency Throws error
lockExchangeRate rate ≤ 0 Throws "must be positive"
convertCurrency with zero fromRate Throws
calculateForexGainLoss gain scenario gain > 0, loss = 0
calculateForexGainLoss loss scenario gain = 0, loss > 0
isSupportedCurrency('EUR') true
isSupportedCurrency('XYZ') false
Precision: toFixed(4) on result 4 decimal places

bank-import/index.ts — CSV Parser

File: packages/core/tests/bank-import.test.ts (MISSING — needs creation)

describe('parseCSV', () => {
  it('parses ISO date format YYYY-MM-DD');
  it('parses Balkan dot format DD.MM.YYYY');
  it('parses slash format DD/MM/YYYY');
  it('skips header line');
  it('skips empty lines');
  it('returns empty array for empty string');
  it('returns empty array for header-only CSV');
  it('sets direction: inbound by default');
  it('sets direction: outbound when field is "outbound"');
  it('handles quoted fields with commas');
  it('generates deterministic IDs for dedup');
});

describe('detectDuplicates', () => {
  it('detects exact duplicate by date+amount+currency+reference');
  it('returns empty array when no duplicates');
  it('returns empty array when either list is empty');
  it('does NOT flag as duplicate if amount differs');
  it('does NOT flag as duplicate if date differs');
  it('does NOT flag as duplicate if reference differs (but amount/date same)');
});

2.2 Validator Unit Tests

Framework: Vitest Location: apps/api/src/validators/*.ts

describe('Invoice validators (createInvoiceSchema)', () => {
  it('valid invoice passes');
  it('missing customerId fails');
  it('invalid date format fails');
  it('negative unitPrice fails');
  it('empty items array fails');
  it('taxRate > 100 fails');
  it('invalid currencyCode (5 chars) fails');
  it('invalid UUID for customerId fails');
});

describe('Auth validators (registerSchema)', () => {
  it('valid registration passes');
  it('invalid email fails');
  it('password too short fails (< 8 chars)');
  it('invalid country code (not RS/BA/HR) fails');
  it('missing organizationName fails');
});

Integration Test Architecture

sequenceDiagram
    participant TC as Test Case
    participant ST as Supertest
    participant APP as Express App
    participant MID as Middleware<br/>(Auth + RBAC)
    participant SVC as Service Layer
    participant PRI as Prisma ORM
    participant DB as Test PostgreSQL

    TC->>ST: HTTP request + Bearer token
    ST->>APP: Forward request
    APP->>MID: Authenticate JWT
    MID->>MID: Verify organizationId scope
    MID->>SVC: Authorized request
    SVC->>PRI: DB query (org-scoped)
    PRI->>DB: Parameterized SQL
    DB-->>PRI: Result rows
    PRI-->>SVC: Typed objects
    SVC-->>APP: Response data
    APP-->>ST: HTTP response
    ST-->>TC: Assert status + body

    Note over DB: beforeEach: seed<br/>afterEach: truncate<br/>(reverse FK order)

3. Integration Test Strategy

Framework: Supertest + Vitest (or Jest) Database: Test PostgreSQL instance (separate from dev/prod) Setup: Prisma migrations applied before tests; data seeded per test suite; truncated after each test

3.1 Test Database Setup

// test/setup.ts
import { prisma } from '../src/lib/prisma';
import { execSync } from 'child_process';

beforeAll(async () => {
  // Apply migrations to test DB
  execSync('npx prisma migrate deploy', { env: { DATABASE_URL: process.env.TEST_DATABASE_URL } });
});

beforeEach(async () => {
  // Seed minimal data: 1 org, 1 owner user, default accounts
  await seedTestOrg();
});

afterEach(async () => {
  // Clean up in reverse FK order
  await prisma.loggedAction.deleteMany();
  await prisma.bankTransaction.deleteMany();
  await prisma.bankAccount.deleteMany();
  await prisma.transaction.deleteMany();
  await prisma.invoiceItem.deleteMany();
  await prisma.invoice.deleteMany();
  await prisma.expense.deleteMany();
  await prisma.contact.deleteMany();
  await prisma.account.deleteMany();
  await prisma.user.deleteMany();
  await prisma.organization.deleteMany();
});

3.2 Auth Endpoints

describe('POST /api/v1/auth/register', () => {
  it('creates org + owner user, returns tokens');
  it('returns 409 for duplicate email');
  it('returns 400 for missing required fields');
  it('password is hashed (not stored plain)');
  it('sets refreshToken httpOnly cookie');
  it('org baseCurrency defaults to EUR');
});

describe('POST /api/v1/auth/login', () => {
  it('returns accessToken + sets cookie on valid credentials');
  it('returns 401 for wrong password');
  it('returns 401 for non-existent email');
  it('updates lastLoginAt on success');
  it('rememberMe=true extends cookie to 30 days');
});

describe('POST /api/v1/auth/refresh', () => {
  it('returns new accessToken from valid refresh cookie');
  it('returns 401 when no cookie');
  it('returns 401 for expired refresh token');
});

describe('POST /api/v1/auth/logout', () => {
  it('clears refreshToken cookie');
  it('returns 204');
});

describe('GET /api/v1/auth/me', () => {
  it('returns user + org data for valid token');
  it('returns 401 for missing token');
  it('returns 401 for expired token');
});

3.3 Invoice Endpoints

describe('GET /api/v1/invoices', () => {
  it('returns paginated invoices for organization');
  it('does NOT return invoices from other orgs');
  it('filters by status');
  it('filters by customerId');
  it('filters by date range');
  it('returns empty data array when no invoices');
  it('returns 401 without auth');
});

describe('POST /api/v1/invoices', () => {
  it('creates invoice in draft status');
  it('auto-generates invoice number INV-YYYY-001');
  it('increments invoice number sequentially');
  it('calculates subtotal correctly from line items');
  it('calculates taxAmount at specified rate');
  it('sets baseAmount = totalAmount when currency = baseCurrency');
  it('locks exchange rate from ExchangeRate table');
  it('returns 404 for non-existent customerId');
  it('returns 400 for contact that is vendor only (not customer)');
});

describe('PATCH /api/v1/invoices/:id/status → send', () => {
  it('changes status from draft to sent');
  it('creates Transaction: DR Receivable / CR Revenue');
  it('transaction.amount = invoice.totalAmount');
  it('transaction.referenceType = invoice, referenceId = invoice.id');
  it('returns 400 if invoice already sent');
  it('returns 400 if required accounts not in chart of accounts');
});

describe('PATCH /api/v1/invoices/:id/status → mark-paid', () => {
  it('changes status from sent to paid');
  it('creates Transaction: DR Bank / CR Receivable');
  it('sets paidAt to provided date');
  it('returns 400 if invoice is still draft');
});

describe('DELETE /api/v1/invoices/:id', () => {
  it('deletes draft invoice');
  it('returns 400 when trying to delete sent invoice');
  it('returns 404 for non-existent invoice');
  it('cannot delete invoice from another org');
});

3.4 Expense Endpoints

describe('POST /api/v1/expenses', () => {
  it('creates expense in pending status');
  it('auto-generates expense number EXP-YYYY-001');
  it('stores taxAmount separately');
  it('locks exchange rate at expenseDate');
});

describe('PATCH /api/v1/expenses/:id/approve', () => {
  it('changes status from pending to approved');
  it('creates Transaction: DR Expense / CR Payable');
  it('returns 400 for non-pending expense');
});

describe('PATCH /api/v1/expenses/:id/pay', () => {
  it('changes status from approved to paid');
  it('creates Transaction: DR Payable / CR Bank');
  it('returns 400 for non-approved expense');
});

3.5 Transaction Endpoints

describe('POST /api/v1/transactions (manual journal)', () => {
  it('accountant can create manual transaction');
  it('viewer cannot create manual transaction (403)');
  it('debit and credit account must be different (422)');
  it('debit account must belong to same org (404)');
  it('credit account must belong to same org (404)');
  it('creates transaction with correct amounts');
  it('referenceType = manual');
});

describe('GET /api/v1/transactions', () => {
  it('filters by accountId (both debit and credit sides)');
  it('filters by referenceType');
  it('filters by date range');
  it('does not return transactions from other orgs');
});

3.6 Report Endpoints

describe('GET /api/v1/reports/trial-balance', () => {
  it('returns balanced trial balance (totalDebits = totalCredits)');
  it('returns balanced = true when no transactions');
  it('includes all accounts with transactions');
  it('debit-normal accounts: balance = debit - credit');
  it('credit-normal accounts: balance = credit - debit');
});

describe('GET /api/v1/reports/profit-loss', () => {
  it('revenue accounts (type=4) in revenue section');
  it('expense accounts (type=5) in expenses section');
  it('netProfit = revenue - expenses');
  it('respects date range filter');
});

describe('GET /api/v1/reports/vat', () => {
  it('outputVAT sum from invoice.taxAmount for sent/paid invoices');
  it('inputVAT sum from expense.taxAmount for approved/paid expenses');
  it('netVAT = outputVAT - inputVAT');
  it('draft invoices excluded from output VAT');
  it('pending expenses excluded from input VAT');
});

3.7 Multi-Tenancy Isolation Tests

describe('Organization isolation', () => {
  let org1Token: string;
  let org2Token: string;
  let org1InvoiceId: string;

  beforeEach(async () => {
    // Create two separate organizations
    org1Token = await registerAndLogin('org1@test.rs');
    org2Token = await registerAndLogin('org2@test.rs');
    // Create invoice in org1
    const res = await createInvoice(org1Token, { ... });
    org1InvoiceId = res.body.id;
  });

  it('org2 cannot GET invoice from org1 (returns 404)');
  it('org2 cannot PUT invoice from org1 (returns 404)');
  it('org2 cannot DELETE invoice from org1 (returns 404 or 404)');
  it('org2 list invoices does not include org1 invoices');
  it('org2 cannot GET org1 contacts');
  it('org2 cannot GET org1 transactions');
  it('org2 cannot GET org1 bank accounts');
  it('org2 trial balance does not include org1 accounts');
});

Invoice Lifecycle — Integration Test Flow

stateDiagram-v2
    [*] --> Draft: POST /api/v1/invoices<br/>(test: creates draft, generates INV-YYYY-NNN)

    Draft --> Sent: PATCH /status → send<br/>(test: DR Receivable / CR Revenue)
    Draft --> Deleted: DELETE /invoices/:id<br/>(test: draft can be deleted)
    Sent --> Paid: PATCH /status → mark-paid<br/>(test: DR Bank / CR Receivable)
    Sent --> Deleted_ERR: DELETE attempt<br/>(test: returns 400 — cannot delete sent)
    Paid --> [*]: Trial balance balanced<br/>(test: Receivable = 0, balanced=true)

    state "Sent → mark-paid" as Paid {
        [*] --> TX_Created: Transaction created
        TX_Created --> GL_Updated: General Ledger updated
        GL_Updated --> Reconciled: BankTransaction matched
    }

    note right of Draft
        Auto-generates invoice number
        Locks exchange rate if foreign currency
        Validates customerId belongs to org
    end note

    note right of Sent
        Creates accounting transaction
        referenceType = invoice
        referenceId = invoice.id
    end note

4. End-to-End Test Strategy

Framework: Playwright Target: Critical business flows that span the full stack Environment: Staging environment with seeded data

4.1 User Registration and Setup

test('New user can register, set up org, and access dashboard', async ({ page }) => {
  // 1. Navigate to /register
  // 2. Fill in org name, country=RS, email, password
  // 3. Submit → redirected to dashboard
  // 4. Dashboard loads with zero-state (empty metrics)
  // 5. Logout → redirected to /login
  // 6. Login with same credentials → dashboard again
});

4.2 Complete Invoice Flow

test('Create invoice → send → mark paid → check P&L', async ({ page }) => {
  // Step 1: Create contact (customer)
  await page.goto('/contacts/new');
  await fillContactForm({ name: 'Test Customer', type: 'customer' });
  await page.click('button[type=submit]');

  // Step 2: Create invoice
  await page.goto('/invoices/new');
  // Fill 6-step wizard: customer, date, items (1000 RSD + 20% PDV), review
  await completeInvoiceWizard({ customer: 'Test Customer', amount: 1000, taxRate: 20 });
  // Verify: status = draft, total = 1200 RSD

  // Step 3: Send invoice
  await page.click('button:text("Send Invoice")');
  // Verify: status = sent

  // Step 4: Mark paid
  await page.click('button:text("Mark as Paid")');
  await page.fill('[name=paidAt]', '2026-02-20');
  await page.click('button:text("Confirm")');
  // Verify: status = paid, paidAt set

  // Step 5: Check P&L report
  await page.goto('/reports?from=2026-01-01&to=2026-12-31');
  await expect(page.locator('[data-testid=revenue-total]')).toContainText('1,200.00');

  // Step 6: Check trial balance (balanced)
  await page.goto('/reports/trial-balance');
  await expect(page.locator('[data-testid=balanced-indicator]')).toBeVisible();
});

4.3 Expense Approval Flow

test('Create expense → approve → pay → check trial balance', async ({ page }) => {
  // Step 1: Create expense (office supplies, 5000 RSD, 17% PDV)
  // Step 2: Approve expense → DR Office Expense / CR Accounts Payable
  // Step 3: Pay expense → DR Accounts Payable / CR Bank
  // Step 4: Verify trial balance is still balanced
  // Step 5: Verify P&L shows expense in correct category
});

4.4 Bank Reconciliation Flow

test('Import bank statement → reconcile with invoice payment', async ({ page }) => {
  // Pre-condition: Paid invoice exists (DR Bank / CR Receivable transaction)
  // Step 1: Go to Banking page
  // Step 2: Import CSV with matching payment entry
  // Step 3: Verify imported: 1, duplicates: 0
  // Step 4: Match bank transaction to GL transaction
  // Step 5: Verify BankTransaction.reconciled = true
  // Step 6: Verify Transaction.reconciled = true
});

4.5 VAT Report Generation

test('VAT report reflects invoices and expenses for period', async ({ page }) => {
  // Pre-condition: 3 sent invoices with 20% PDV, 2 approved expenses with PDV
  // Step 1: Navigate to Reports → VAT Report
  // Step 2: Set period to current month
  // Step 3: Verify: output VAT = sum of invoice tax amounts
  // Step 4: Verify: input VAT = sum of expense tax amounts
  // Step 5: Verify: net VAT = output - input
  // Step 6: Download/export VAT report (future feature)
});

E2E Test Flow — Complete Invoice Lifecycle

flowchart TD
    START([Browser: /login]) --> LOGIN[Fill credentials<br/>demo@bilko.io]
    LOGIN --> DASH[Dashboard loaded<br/>assert: zero-state metrics]

    DASH --> NEW_CONTACT["/contacts/new<br/>Create: Test Customer"]
    NEW_CONTACT --> NEW_INV["/invoices/new<br/>6-step wizard"]

    NEW_INV --> W1["Step 1: Select Customer<br/>assert: customer appears in dropdown"]
    W1 --> W2["Step 2: Set dates<br/>invoiceDate, dueDate"]
    W2 --> W3["Step 3: Add line items<br/>1000 RSD + 20% PDV = 1200 RSD total"]
    W3 --> W4["Step 4: Currency & exchange rate"]
    W4 --> W5["Step 5: Notes / payment terms"]
    W5 --> W6["Step 6: Review & Create<br/>assert: subtotal=1000, tax=200, total=1200"]

    W6 --> INV_DETAIL["Invoice detail page<br/>assert: status=draft, number=INV-YYYY-NNN"]
    INV_DETAIL --> SEND["Click: Send Invoice<br/>assert: status=sent"]
    SEND --> PAY["Click: Mark as Paid<br/>Enter paidAt date"]
    PAY --> PAID["assert: status=paid, paidAt set"]

    PAID --> PL["/reports?from=...&to=...<br/>assert: revenue-total = 1,200.00"]
    PL --> TB["/reports/trial-balance<br/>assert: balanced-indicator visible<br/>assert: Receivable balance = 0"]

    style START fill:#198754,color:#fff
    style TB fill:#0d6efd,color:#fff
    style PAID fill:#198754,color:#fff

5. Accounting Scenario Tests

These tests verify correctness of the double-entry system under real-world accounting scenarios.

5.1 Invoice → Payment → Reconciliation

Scenario: Company issues invoice, receives payment, reconciles bank statement

test('Full invoice lifecycle creates correct ledger entries', async () => {
  // 1. Create invoice: 100,000 RSD net + 20,000 RSD PDV = 120,000 RSD total
  // 2. Send invoice → Transaction: DR Receivable 120,000 / CR Revenue 120,000
  // 3. Mark paid → Transaction: DR Bank 120,000 / CR Receivable 120,000
  // 4. Trial balance: Bank +120,000 / Revenue +120,000 (balanced)
  // 5. Receivable account balance = 0 (opened and closed)
  // 6. General ledger shows both entries on Receivable account
  const trialBalance = await getTrialBalance();
  expect(trialBalance.balanced).toBe(true);
  const receivable = trialBalance.accounts.find(a => a.code.startsWith('12'));
  expect(receivable.balance).toBe('0.0000');
});

5.2 Multi-Currency Invoice

Scenario: RSD-based company invoices EUR customer

test('EUR invoice stored and reported in RSD base currency', async () => {
  // Exchange rate: 1 EUR = 117.25 RSD (locked at invoice date)
  // Invoice: 1,000 EUR + 200 EUR PDV = 1,200 EUR
  // Expected baseAmount: 1,200 × 117.25 = 140,700 RSD

  const invoice = await createInvoice({
    currencyCode: 'EUR',
    items: [{ quantity: 1, unitPrice: 1000, taxRate: 20 }],
    invoiceDate: '2026-02-01' // rate exists for this date
  });

  expect(invoice.currencyCode).toBe('EUR');
  expect(invoice.totalAmount).toBe('1200.0000');
  expect(invoice.exchangeRate).toBe('117.250000');
  expect(invoice.baseAmount).toBe('140700.0000');

  // When paid: DR Bank 140,700 RSD / CR Receivable 140,700 RSD
  await markPaid(invoice.id, '2026-02-15');
  const transaction = await getTransactionForInvoice(invoice.id, 'payment');
  expect(transaction.baseAmount).toBe('140700.0000');
});

5.3 VAT Calculation Accuracy

test('VAT calculated with Decimal precision, no float errors', async () => {
  // Known float trap: 0.1 + 0.2 ≠ 0.3 in JavaScript float
  // Test with amounts that expose float precision issues
  const result = calculateVAT('123.45', '20');
  // Expected: tax = 123.45 × 0.20 = 24.69 (not 24.690000000000003)
  expect(result.tax.toString()).toBe('24.6900');
  expect(result.total.toString()).toBe('148.1400');

  // Large amount
  const large = calculateVAT('999999.9999', '17');
  expect(large.tax.toString()).toBe('169999.9998');  // exact
});

5.4 Trial Balance After Multiple Transactions

test('Trial balance remains balanced after 10 invoices and 5 expenses', async () => {
  // Create 10 invoices (all sent + paid)
  for (let i = 0; i < 10; i++) {
    const inv = await createAndSendInvoice(orgId, 10000 + i * 100);
    await markPaid(inv.id, today);
  }
  // Create 5 expenses (all approved + paid)
  for (let i = 0; i < 5; i++) {
    const exp = await createAndApproveExpense(orgId, 5000 + i * 50);
    await payExpense(exp.id);
  }

  const tb = await getTrialBalance(orgId);
  expect(tb.balanced).toBe(true);
  // Total debits must equal total credits
  expect(new Decimal(tb.totals.debit)).toEqual(new Decimal(tb.totals.credit));
});

5.5 Expense Approval Double-Entry

test('Expense approval creates correct DR Expense / CR Payable entry', async () => {
  const expense = await createExpense({ amount: 5000, taxRate: 17 }); // 850 PDV
  await approveExpense(expense.id);

  const transactions = await getTransactionsForExpense(expense.id);
  expect(transactions).toHaveLength(1);
  const tx = transactions[0];

  // Verify debit is an expense account
  expect(tx.debitAccountCode).toMatch(/^5/);
  // Verify credit is payable
  expect(tx.creditAccountCode).toMatch(/^22/);
  // Amount matches expense amount
  expect(tx.amount).toBe('5000.0000');
});

6. Regulatory Compliance Tests

6.1 Serbia (RS)

describe('Serbia regulatory compliance', () => {
  it('PDV 20% standard rate applied to default supplies', async () => {
    const result = calculateSerbianPDV('10000', 'standard');
    expect(result).toBe('2000.00');
  });

  it('PDV 10% reduced rate applied to food/medicine', async () => {
    const result = calculateSerbianPDV('10000', 'reduced');
    expect(result).toBe('1000.00');
  });

  it('Business below 8M RSD threshold does not require VAT registration', () => {
    expect(requiresVATRegistration('7999999')).toBe(false);
  });

  it('Business at 8M RSD threshold requires VAT registration', () => {
    expect(requiresVATRegistration('8000000')).toBe(true);
  });

  it('Business below 6M RSD qualifies for pausal regime', () => {
    expect(qualifiesForPausalRegime('5999999')).toBe(true);
  });

  it('CIT calculated at flat 15%', () => {
    const cit = calculateSerbianCIT('100000');
    expect(cit).toBe('15000.00');
  });

  it('Invoice number follows Serbian format requirements', () => {
    // INV-YYYY-NNN format with sequential numbering
    expect(invoiceNumber).toMatch(/^INV-\d{4}-\d{3,}$/);
  });

  it('VAT report groups output and input VAT separately', async () => {
    const report = await getVATReport(orgId, { from: '2026-01-01', to: '2026-01-31' });
    expect(report).toHaveProperty('outputVAT');
    expect(report).toHaveProperty('inputVAT');
    expect(report).toHaveProperty('netVAT');
    expect(new Decimal(report.netVAT)).toEqual(
      new Decimal(report.outputVAT.total).sub(new Decimal(report.inputVAT.total))
    );
  });
});

6.2 Bosnia & Herzegovina (BA)

describe('BiH regulatory compliance', () => {
  it('Single PDV rate of 17% applied uniformly', () => {
    const result = calculateBosnianPDV('10000');
    expect(result).toBe('1700.00');
  });

  it('BiH has no reduced VAT rate (only standard and zero)', () => {
    const rates = Object.keys(bosnianVATRates);
    expect(rates).toEqual(['standard', 'zero']);
  });

  it('VAT registration required at 100,000 BAM', () => {
    expect(requiresVATRegistration('99999')).toBe(false);
    expect(requiresVATRegistration('100000')).toBe(true);
  });

  it('FBiH CIT at 10%', () => {
    expect(calculateCITFBiH('100000')).toBe('10000.00');
  });

  it('RS CIT at 10%', () => {
    expect(calculateCITRS('100000')).toBe('10000.00');
  });

  it('Dividend WHT: FBiH 5%, RS 10%', () => {
    expect(calculateDividendWHT('100000', 'fbih')).toBe('5000.00');
    expect(calculateDividendWHT('100000', 'rs')).toBe('10000.00');
  });
});

6.3 Croatia (HR)

describe('Croatia regulatory compliance', () => {
  it('Standard PDV rate is 25%', () => {
    const result = calculateCroatianPDV('10000', 'standard');
    expect(result).toBe('2500.00');
  });

  it('Reduced PDV rate is 13% (food, accommodation)', () => {
    const result = calculateCroatianPDV('10000', 'reduced');
    expect(result).toBe('1300.00');
  });

  it('Super-reduced PDV rate is 5% (books, medicines)', () => {
    const result = calculateCroatianPDV('10000', 'superReduced');
    expect(result).toBe('500.00');
  });

  it('CIT 10% for small business (revenue < 1M EUR)', () => {
    const cit = calculateCroatianCIT('50000', '900000');
    expect(cit).toBe('5000.00');
  });

  it('CIT 18% for large business (revenue >= 1M EUR)', () => {
    const cit = calculateCroatianCIT('50000', '1000000');
    expect(cit).toBe('9000.00');
  });

  it('VAT registration threshold 60,000 EUR (EU 2025 aligned)', () => {
    expect(requiresVATRegistration('59999')).toBe(false);
    expect(requiresVATRegistration('60000')).toBe(true);
  });
});

6.4 Audit Trail Compliance

describe('Immutable audit trail', () => {
  it('LoggedAction created on invoice create', async () => {
    await createInvoice(orgId, ...);
    const logs = await prisma.loggedAction.findMany({
      where: { tableName: 'invoices', action: 'INSERT' }
    });
    expect(logs).toHaveLength(1);
    expect(logs[0].rowData).toBeTruthy();
  });

  it('LoggedAction created on invoice status change', async () => {
    await sendInvoice(invoiceId);
    const logs = await prisma.loggedAction.findMany({
      where: { tableName: 'invoices', action: 'UPDATE' }
    });
    expect(logs.length).toBeGreaterThan(0);
    expect(logs[0].changedFields).toHaveProperty('status');
  });

  it('LoggedAction cannot be deleted', async () => {
    // Attempt to delete a log entry — should fail (policy enforced at app or DB level)
    await expect(prisma.loggedAction.delete({ where: { eventId: logs[0].eventId } }))
      .rejects.toThrow();
  });

  it('locked transaction cannot be updated', async () => {
    await prisma.transaction.update({
      where: { id: txId },
      data: { locked: true }
    });
    // Attempt to change amount of locked transaction via API
    const response = await request(app)
      .put(`/api/v1/transactions/${txId}`)
      .set('Authorization', `Bearer ${token}`)
      .send({ amount: 99999 });
    expect(response.status).toBe(400);
  });
});

6.5 Record Retention

describe('Record retention requirements', () => {
  it('Deleted invoices remain in LoggedAction with full row data', async () => {
    const invoice = await createInvoice(orgId);
    const invoiceId = invoice.id;
    await deleteInvoice(invoiceId);
    // Invoice deleted from invoices table
    const inv = await prisma.invoice.findUnique({ where: { id: invoiceId } });
    expect(inv).toBeNull();
    // But audit log captures the full row
    const log = await prisma.loggedAction.findFirst({
      where: { tableName: 'invoices', action: 'DELETE' }
    });
    expect(log.rowData).toBeTruthy();
    expect(JSON.parse(log.rowData).id).toBe(invoiceId);
  });
});

7. Performance Benchmarks

Tool: k6 (load testing), Lighthouse (frontend)

7.1 API Response Time Targets

Endpoint Target (P95) Max Acceptable
GET /api/v1/health < 10ms < 50ms
POST /api/v1/auth/login < 300ms < 1s
GET /api/v1/invoices (20 items) < 200ms < 500ms
POST /api/v1/invoices < 500ms < 1s
GET /api/v1/reports/profit-loss < 500ms < 2s
GET /api/v1/reports/trial-balance < 1s < 3s
GET /api/v1/reports/general-ledger < 2s < 5s
POST /api/v1/bank-accounts/:id/import (100 rows) < 1s < 3s

7.2 Load Test Scenarios

// k6 scenario: Normal business day load
export const options = {
  scenarios: {
    normal_load: {
      executor: 'constant-vus',
      vus: 50,
      duration: '5m',
    },
    spike: {
      executor: 'ramping-vus',
      startVUs: 0,
      stages: [
        { duration: '30s', target: 200 },
        { duration: '1m', target: 200 },
        { duration: '30s', target: 0 },
      ],
    }
  },
  thresholds: {
    'http_req_duration{type:api}': ['p(95)<500'],
    'http_req_failed': ['rate<0.01'], // < 1% error rate
  }
};

7.3 Database Performance

Operation Target
Invoice list query (org with 10K invoices) < 100ms
Trial balance (org with 1K accounts, 100K transactions) < 2s
Exchange rate lookup < 10ms (covered by index)
Audit log insert < 5ms

7.4 Frontend Performance (Lighthouse)

Metric Target
First Contentful Paint (FCP) < 1.5s
Largest Contentful Paint (LCP) < 2.5s
Time to Interactive (TTI) < 3.5s
Cumulative Layout Shift (CLS) < 0.1
Lighthouse Performance Score > 90

8. Security Tests

8.1 Authentication Security

describe('Authentication security', () => {
  it('rejected with 401 for missing Authorization header');
  it('rejected with 401 for malformed Bearer token');
  it('rejected with 401 for expired access token');
  it('rejected with 401 for tampered JWT signature');
  it('rejected with 401 for wrong JWT_SECRET');
  it('access token cannot be used as refresh token');
  it('refresh token cannot be used as access token');
  it('tokens have correct issuer and audience claims');
});

8.2 RBAC Authorization

describe('Role-based access control', () => {
  it('viewer cannot create invoices (403)');
  it('viewer cannot create expenses (403)');
  it('viewer cannot create manual transactions (403)');
  it('accountant cannot change user roles (403)');
  it('accountant cannot invite users (403)');
  it('admin cannot change owner role (403)');
  it('owner can change any role');
  it('user cannot change their own role');
  it('user cannot delete themselves');
});

8.3 SQL Injection

describe('SQL injection prevention', () => {
  it('invoice search with SQL payload returns 400 (Zod validation)', async () => {
    const res = await request(app)
      .get('/api/v1/invoices?customerId=\'; DROP TABLE invoices; --')
      .set('Authorization', `Bearer ${token}`);
    expect(res.status).toBe(400); // Zod rejects invalid UUID
  });

  it('Prisma parameterizes all queries (no raw SQL in services)');
});

8.4 Cross-Site Scripting (XSS)

describe('XSS prevention', () => {
  it('contact name with script tag is stored as plain text', async () => {
    const name = '<script>alert("xss")</script>';
    const contact = await createContact({ name });
    expect(contact.name).toBe(name); // stored as-is
    // API response should not execute as HTML (verified by Content-Type: application/json)
  });

  it('Content-Security-Policy header blocks inline scripts', async () => {
    const res = await request(app).get('/api/v1/health');
    const csp = res.headers['content-security-policy'];
    expect(csp).toContain("script-src 'self'");
    expect(csp).not.toContain("'unsafe-eval'");
  });
});

8.5 Rate Limiting

describe('Rate limiting', () => {
  it('general API limit: 100 requests per 15 min per IP', async () => {
    // Make 101 requests from same IP
    const responses = await makeRequests(101, '/api/v1/health');
    const lastResponse = responses[100];
    expect(lastResponse.status).toBe(429);
  });

  it('auth endpoints have stricter rate limit', async () => {
    // Make rapid login attempts — triggers auth rate limiter before general
    const responses = await makeLoginAttempts(20);
    expect(responses.some(r => r.status === 429)).toBe(true);
  });
});

8.6 Data Isolation / Multi-Tenant Security

describe('Tenant isolation security', () => {
  it('cannot access another org invoice by ID (returns 404, not 403)');
  // Note: returning 404 instead of 403 prevents enumeration attacks
  it('cannot access another org transactions by reference ID');
  it('cannot access another org users via /api/v1/users');
  it('cannot access another org bank accounts');
  it('PATCH invoice from another org returns 404');
  it('DELETE invoice from another org returns 404');
});

8.7 CORS

describe('CORS policy', () => {
  it('requests from bilko.io are allowed');
  it('requests from unknown origin are rejected with CORS error');
  it('OPTIONS preflight returns correct headers');
  it('credentials (cookies) allowed with CORS');
});

8.8 Security Headers

describe('Security headers', () => {
  it('X-Frame-Options: deny (clickjacking protection)');
  it('X-Content-Type-Options: nosniff');
  it('Strict-Transport-Security: maxAge=31536000; includeSubDomains; preload');
  it('Content-Security-Policy present');
  it('X-Powered-By header removed (helmet default)');
});

CI/CD Test Pipeline

flowchart TD
    PUSH["git push / PR opened"] --> CI["GitHub Actions triggered"]

    CI --> J1["Job: unit-tests<br/>ubuntu-latest<br/>No DB required"]
    CI --> J2["Job: integration-tests<br/>ubuntu-latest<br/>postgres:15 service"]
    CI --> J3["Job: e2e-tests<br/>ubuntu-latest<br/>Full stack startup"]

    J1 --> U1["npm ci"]
    U1 --> U2["cd packages/core && npx vitest run"]
    U2 --> U3{Coverage >= 80%?}
    U3 -->|Yes| U_OK["PASS"]
    U3 -->|No| U_FAIL["FAIL — block merge"]

    J2 --> I1["npm ci"]
    I1 --> I2["npx prisma migrate deploy<br/>(TEST_DATABASE_URL)"]
    I2 --> I3["npm run test:integration<br/>(apps/api)"]
    I3 --> I4{All assertions pass?}
    I4 -->|Yes| I_OK["PASS"]
    I4 -->|No| I_FAIL["FAIL — block merge"]

    J3 --> E1["npx playwright install --with-deps"]
    E1 --> E2["npm run dev (staging seed)"]
    E2 --> E3["npm run test:e2e"]
    E3 --> E4{All flows pass?}
    E4 -->|Yes| E_OK["PASS"]
    E4 -->|No| E_FAIL["FAIL — screenshot + video saved"]

    U_OK --> MERGE{All jobs passed?}
    I_OK --> MERGE
    E_OK --> MERGE
    MERGE -->|Yes| DEPLOY["Allow merge to main"]
    MERGE -->|No| BLOCK["Block PR merge"]

    style PUSH fill:#6c757d,color:#fff
    style DEPLOY fill:#198754,color:#fff
    style BLOCK fill:#dc3545,color:#fff
    style U_FAIL fill:#dc3545,color:#fff
    style I_FAIL fill:#dc3545,color:#fff
    style E_FAIL fill:#dc3545,color:#fff

9. Test Infrastructure

9.1 Directory Structure

Bilko/
├── packages/core/
│   ├── tests/                         ← Unit tests (EXISTS)
│   │   ├── accounting.test.ts
│   │   ├── tax.test.ts
│   │   ├── multi-currency.test.ts
│   │   ├── invoicing.test.ts
│   │   └── chart-of-accounts.test.ts
│   └── vitest.config.ts               ← Vitest config (EXISTS)
│
├── apps/api/
│   └── tests/                         ← To be created
│       ├── setup.ts                   ← DB setup/teardown
│       ├── helpers/
│       │   ├── auth.helper.ts         ← Login/register helpers
│       │   └── factory.ts             ← Test data factories
│       ├── integration/
│       │   ├── auth.test.ts
│       │   ├── invoices.test.ts
│       │   ├── expenses.test.ts
│       │   ├── contacts.test.ts
│       │   ├── accounts.test.ts
│       │   ├── transactions.test.ts
│       │   ├── reports.test.ts
│       │   ├── banking.test.ts
│       │   ├── settings.test.ts
│       │   └── isolation.test.ts
│       └── security/
│           ├── auth-security.test.ts
│           ├── rbac.test.ts
│           ├── injection.test.ts
│           └── headers.test.ts
│
└── e2e/                               ← To be created
    ├── playwright.config.ts
    ├── fixtures/
    │   └── test-data.ts
    └── tests/
        ├── auth.spec.ts
        ├── invoice-lifecycle.spec.ts
        ├── expense-flow.spec.ts
        ├── bank-reconciliation.spec.ts
        └── reports.spec.ts

9.2 Environment Variables for Testing

# Test environment
TEST_DATABASE_URL="postgresql://bilko_test:password@localhost:5432/bilko_test"
JWT_SECRET="test-jwt-secret-not-for-production"
JWT_REFRESH_SECRET="test-refresh-secret-not-for-production"
NODE_ENV="test"

9.3 CI Pipeline Integration

# .github/workflows/test.yml (target)
jobs:
  unit-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm ci
      - run: cd packages/core && npx vitest run

  integration-tests:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:15
        env:
          POSTGRES_DB: bilko_test
          POSTGRES_PASSWORD: password
    steps:
      - uses: actions/checkout@v4
      - run: npm ci
      - run: npx prisma migrate deploy
        env:
          DATABASE_URL: ${{ env.TEST_DATABASE_URL }}
      - run: npm run test:integration
        working-directory: apps/api

  e2e-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npx playwright install --with-deps
      - run: npm run test:e2e
        env:
          PLAYWRIGHT_BASE_URL: http://localhost:3000

10. Test Coverage Targets

Module Unit Coverage Integration Coverage
@bilko/core accounting 95% (near complete) N/A
@bilko/core tax 95% (near complete) N/A
@bilko/core multi-currency 90% N/A
@bilko/core bank-import 80% (tests missing) N/A
@bilko/country-rs tax 0% (tests missing) N/A
@bilko/country-ba tax 0% (tests missing) N/A
@bilko/country-hr tax 0% (tests missing) N/A
API auth routes N/A 90%
API invoice routes N/A 90%
API expense routes N/A 85%
API report routes N/A 80%
API banking routes N/A 75%
API settings routes N/A 80%
Multi-tenancy isolation N/A 100%
Security tests N/A 90%

Overall target: 80% line coverage across the codebase before production launch.

Testing & QA

Testing Guide

Bilko — Testing Guide

Status: NO TESTS EXIST YET — This document defines the testing strategy for implementation.

Testing Philosophy

Financial software has a higher correctness bar than typical web apps. Bilko's testing strategy prioritizes:

  1. Financial Logic Accuracy — VAT calculations, double-entry bookkeeping, currency conversion
  2. Data Integrity — No lost transactions, no balance discrepancies
  3. Regression Prevention — Once fixed, bugs stay fixed
  4. Fast Feedback — Tests run in <5 minutes locally

Testing Pyramid

         /\
        /E2E\        ← 10% (Critical user flows)
       /------\
      /  Integ \     ← 30% (API endpoints, DB queries)
     /----------\
    /    Unit    \   ← 60% (Business logic, utilities)
   /--------------\

Distribution:

graph TD
    subgraph STACK["Bilko Testing Stack"]
        direction TB

        subgraph E2E_LAYER["E2E Layer — 10% — Playwright"]
            PW1["invoice-flow.spec.ts<br/>Create → Send → Paid"]
            PW2["expense-flow.spec.ts<br/>Add → Approve → Pay"]
            PW3["report-flow.spec.ts<br/>P&L → Export PDF"]
            PW4["auth-flow.spec.ts<br/>Register → Login → Logout"]
        end

        subgraph INT_LAYER["Integration Layer — 30% — Supertest"]
            ST1["auth.routes.test.ts<br/>register / login / refresh / logout"]
            ST2["invoices.routes.test.ts<br/>CRUD + status transitions"]
            ST3["expenses.routes.test.ts<br/>CRUD + approve/pay"]
            ST4["reports.routes.test.ts<br/>P&L / trial-balance / VAT"]
            ST5["isolation.test.ts<br/>Cross-org data access prevention"]
        end

        subgraph UNIT_LAYER["Unit Layer — 60% — Vitest"]
            VT1["accounting.test.ts<br/>validateDoubleEntry, createJournalEntry<br/>calculateTrialBalance"]
            VT2["tax.test.ts<br/>calculateVAT: RS 20% / BA 17% / HR 25%<br/>calculateCIT, getVATRates"]
            VT3["multi-currency.test.ts<br/>convertCurrency, lockExchangeRate<br/>calculateForexGainLoss"]
            VT4["bank-import.test.ts<br/>parseCSV, detectDuplicates"]
            VT5["chart-of-accounts.test.ts<br/>Structure validation"]
        end
    end

    E2E_LAYER --> INT_LAYER
    INT_LAYER --> UNIT_LAYER

    style E2E_LAYER fill:#ffc107,stroke:#e0a800
    style INT_LAYER fill:#fd7e14,color:#fff,stroke:#e8690b
    style UNIT_LAYER fill:#198754,color:#fff,stroke:#157347

Tech Stack

Test Type Framework Purpose
Unit Vitest Business logic, utilities, components
Integration Supertest API endpoint testing
E2E Playwright Browser automation, user flows
Coverage c8 (built into Vitest) Code coverage reporting

Why These Tools?

Vitest (not Jest)

Supertest (not Postman)

Playwright (not Cypress)

Unit Tests (Vitest)

Scope

Test pure functions and business logic in isolation:

File Structure

apps/api/src/
├── services/
│   ├── invoice.service.ts
│   └── invoice.service.test.ts  ← Unit test
├── utils/
│   ├── vat.ts
│   └── vat.test.ts  ← Unit test

Example: VAT Calculation Test

// apps/api/src/utils/vat.test.ts
import { describe, it, expect } from 'vitest';
import { calculateVAT } from './vat';

describe('calculateVAT', () => {
  it('calculates Serbia VAT (20%)', () => {
    const result = calculateVAT(100, 20);
    expect(result).toBe(20);
  });

  it('calculates BiH VAT (17%)', () => {
    const result = calculateVAT(100, 17);
    expect(result).toBe(17);
  });

  it('calculates Croatia VAT (25%)', () => {
    const result = calculateVAT(100, 25);
    expect(result).toBe(25);
  });

  it('handles zero VAT', () => {
    const result = calculateVAT(100, 0);
    expect(result).toBe(0);
  });

  it('handles decimal amounts', () => {
    const result = calculateVAT(123.45, 20);
    expect(result).toBe(24.69);
  });

  it('rounds to 2 decimal places', () => {
    const result = calculateVAT(10.01, 20);
    expect(result).toBe(2.00); // Not 2.002
  });
});

Running Unit Tests

# Run all unit tests
npm run test:unit

# Watch mode (re-run on file change)
npm run test:unit -- --watch

# Coverage report
npm run test:unit -- --coverage

# Specific file
npm run test:unit -- vat.test.ts

Coverage Requirements

Category Target Rationale
Financial logic >95% Critical for correctness
Utilities >90% Reused across codebase
Services >80% Business logic layer
Controllers >60% Thin layer (tested via integration)
Overall >80% Industry standard

Integration Tests (Supertest)

Scope

Test API endpoints with real database:

File Structure

apps/api/src/
├── routes/
│   ├── auth.routes.ts
│   └── auth.routes.test.ts  ← Integration test
├── routes/
│   ├── invoices.routes.ts
│   └── invoices.routes.test.ts  ← Integration test

Test Database Setup

Use separate test database:

# .env.test
DATABASE_URL=postgresql://bilko_test:bilko_test@localhost:5432/bilko_test

Setup/teardown:

// apps/api/src/test/setup.ts
import { PrismaClient } from '@prisma/client';
import { beforeAll, afterAll, beforeEach } from 'vitest';

const prisma = new PrismaClient();

beforeAll(async () => {
  // Run migrations on test DB
  await execSync('npx prisma migrate deploy');
});

beforeEach(async () => {
  // Clear all tables before each test
  await prisma.$transaction([
    prisma.invoice.deleteMany(),
    prisma.expense.deleteMany(),
    prisma.contact.deleteMany(),
    prisma.user.deleteMany(),
    prisma.organization.deleteMany(),
  ]);
});

afterAll(async () => {
  await prisma.$disconnect();
});

Example: Invoice API Test

// apps/api/src/routes/invoices.routes.test.ts
import { describe, it, expect, beforeEach } from 'vitest';
import request from 'supertest';
import { app } from '../app';
import { prisma } from '../lib/prisma';

describe('POST /api/v1/invoices', () => {
  let authToken: string;
  let organizationId: string;
  let customerId: string;

  beforeEach(async () => {
    // Create test organization
    const org = await prisma.organization.create({
      data: {
        name: 'Test Company',
        baseCurrency: 'RSD',
        country: 'RS',
      },
    });
    organizationId = org.id;

    // Create test user
    const user = await prisma.user.create({
      data: {
        organizationId,
        email: 'test@bilko.io',
        passwordHash: '$2b$12$...', // bcrypt hash
        fullName: 'Test User',
        role: 'admin',
      },
    });

    // Login to get token
    const loginRes = await request(app)
      .post('/api/v1/auth/login')
      .send({ email: 'test@bilko.io', password: 'test123' });
    authToken = loginRes.body.accessToken;

    // Create test customer
    const customer = await prisma.contact.create({
      data: {
        organizationId,
        type: 'customer',
        name: 'Test Customer',
        email: 'customer@example.com',
      },
    });
    customerId = customer.id;
  });

  it('creates invoice with valid data', async () => {
    const res = await request(app)
      .post('/api/v1/invoices')
      .set('Authorization', `Bearer ${authToken}`)
      .send({
        customerId,
        invoiceDate: '2026-02-20',
        dueDate: '2026-03-20',
        currencyCode: 'RSD',
        items: [
          {
            description: 'Web Development',
            quantity: 10,
            unitPrice: 5000,
            taxRate: 20,
          },
        ],
      });

    expect(res.status).toBe(201);
    expect(res.body.invoiceNumber).toMatch(/^INV-\d+$/);
    expect(res.body.subtotal).toBe(50000);
    expect(res.body.taxAmount).toBe(10000);
    expect(res.body.totalAmount).toBe(60000);
  });

  it('rejects invoice without auth', async () => {
    const res = await request(app)
      .post('/api/v1/invoices')
      .send({ customerId, items: [] });

    expect(res.status).toBe(401);
  });

  it('rejects invoice for customer in different org', async () => {
    // Create another org
    const otherOrg = await prisma.organization.create({
      data: { name: 'Other Company', baseCurrency: 'EUR', country: 'RS' },
    });

    // Create customer in other org
    const otherCustomer = await prisma.contact.create({
      data: {
        organizationId: otherOrg.id,
        type: 'customer',
        name: 'Other Customer',
      },
    });

    const res = await request(app)
      .post('/api/v1/invoices')
      .set('Authorization', `Bearer ${authToken}`)
      .send({
        customerId: otherCustomer.id,
        items: [],
      });

    expect(res.status).toBe(403); // Forbidden (can't access other org's data)
  });
});

Running Integration Tests

# Run all integration tests
npm run test:integration

# Specific file
npm run test:integration -- invoices.routes.test.ts

E2E Tests (Playwright)

Scope

Test critical user flows from browser:

File Structure

apps/e2e/
├── tests/
│   ├── invoice-flow.spec.ts
│   ├── expense-flow.spec.ts
│   ├── report-flow.spec.ts
│   └── auth-flow.spec.ts
├── fixtures/
│   └── test-data.ts
└── playwright.config.ts

Configuration

// apps/e2e/playwright.config.ts
import { defineConfig } from '@playwright/test';

export default defineConfig({
  testDir: './tests',
  timeout: 60000, // 60s per test
  retries: 1, // Retry flaky tests once
  workers: 4, // Run 4 tests in parallel
  use: {
    baseURL: 'http://localhost:3000',
    screenshot: 'only-on-failure',
    video: 'retain-on-failure',
  },
  projects: [
    { name: 'chromium', use: { browserName: 'chromium' } },
    { name: 'firefox', use: { browserName: 'firefox' } },
    { name: 'webkit', use: { browserName: 'webkit' } },
  ],
});

Example: Invoice E2E Test

// apps/e2e/tests/invoice-flow.spec.ts
import { test, expect } from '@playwright/test';

test.describe('Invoice Flow', () => {
  test.beforeEach(async ({ page }) => {
    // Login
    await page.goto('/login');
    await page.fill('input[name="email"]', 'demo@bilko.io');
    await page.fill('input[name="password"]', 'demo123');
    await page.click('button[type="submit"]');
    await expect(page).toHaveURL('/dashboard');
  });

  test('create invoice and mark as paid', async ({ page }) => {
    // Navigate to invoices
    await page.click('a[href="/invoices"]');
    await expect(page).toHaveURL('/invoices');

    // Click "New Invoice"
    await page.click('button:has-text("New Invoice")');
    await expect(page).toHaveURL('/invoices/new');

    // Fill invoice form (6-step wizard)
    // Step 1: Customer
    await page.selectOption('select[name="customerId"]', { label: 'Acme Corp' });
    await page.click('button:has-text("Next")');

    // Step 2: Details
    await page.fill('input[name="invoiceDate"]', '2026-02-20');
    await page.fill('input[name="dueDate"]', '2026-03-20');
    await page.click('button:has-text("Next")');

    // Step 3: Items
    await page.fill('input[name="items.0.description"]', 'Web Development');
    await page.fill('input[name="items.0.quantity"]', '10');
    await page.fill('input[name="items.0.unitPrice"]', '5000');
    await page.selectOption('select[name="items.0.taxRate"]', '20');
    await page.click('button:has-text("Next")');

    // Step 4: Review
    await expect(page.locator('text=Subtotal')).toContainText('50,000.00 RSD');
    await expect(page.locator('text=Tax')).toContainText('10,000.00 RSD');
    await expect(page.locator('text=Total')).toContainText('60,000.00 RSD');
    await page.click('button:has-text("Create Invoice")');

    // Verify redirect to invoice detail
    await expect(page).toHaveURL(/\/invoices\/[a-f0-9-]+$/);
    await expect(page.locator('h1')).toContainText('INV-');

    // Mark as paid
    await page.click('button:has-text("Mark as Paid")');
    await page.click('button:has-text("Confirm")');

    // Verify status changed
    await expect(page.locator('.status-badge')).toContainText('Paid');
  });

  test('validates required fields', async ({ page }) => {
    await page.goto('/invoices/new');

    // Try to submit without customer
    await page.click('button:has-text("Next")');

    // Verify error message
    await expect(page.locator('.error')).toContainText('Customer is required');
  });
});

Running E2E Tests

# Start dev server first
npm run dev

# In another terminal:
npm run test:e2e

# Headless (CI mode)
npm run test:e2e -- --headed

# Debug mode (pause on failure)
npm run test:e2e -- --debug

# Specific browser
npm run test:e2e -- --project=firefox

VAT Test Matrix — Country Coverage

graph TD
    VAT["calculateVAT Tests<br/>@bilko/core/tax"]

    VAT --> RS["Serbia RS<br/>Standard: 20%<br/>Reduced: 10%<br/>Zero: 0% exports<br/>CIT: 15% flat<br/>Pausal: &lt; 6M RSD<br/>VAT reg: &gt;= 8M RSD"]

    VAT --> BA["Bosnia BA<br/>Standard: 17%<br/>No reduced rate<br/>Zero: 0% exports<br/>FBiH CIT: 10%<br/>RS CIT: 10%<br/>WHT FBiH: 5% div<br/>VAT reg: &gt;= 100K BAM"]

    VAT --> HR["Croatia HR<br/>Standard: 25%<br/>Reduced: 13%<br/>Super-red: 5%<br/>CIT small: 10%<br/>CIT large: 18%<br/>VAT reg: &gt;= 60K EUR"]

    RS --> RS_T["Test: calculateSerbianPDV<br/>Test: qualifiesForPausalRegime<br/>Test: requiresVATRegistration RS"]
    BA --> BA_T["Test: calculateBosnianPDV<br/>Test: calculateCITFBiH / CITRS<br/>Test: calculateDividendWHT"]
    HR --> HR_T["Test: calculateCroatianPDV<br/>Test: calculateCroatianCIT<br/>Test: requiresVATRegistration HR"]

    style VAT fill:#0d6efd,color:#fff
    style RS fill:#c0392b,color:#fff
    style BA fill:#2c3e50,color:#fff
    style HR fill:#e74c3c,color:#fff

Test Data Management

Factories (Recommended)

Create reusable test data generators:

// apps/api/src/test/factories/invoice.factory.ts
import { faker } from '@faker-js/faker';
import { prisma } from '../../lib/prisma';

export async function createInvoice(overrides = {}) {
  return prisma.invoice.create({
    data: {
      organizationId: faker.string.uuid(),
      customerId: faker.string.uuid(),
      invoiceNumber: `INV-${faker.number.int({ min: 1000, max: 9999 })}`,
      invoiceDate: faker.date.recent(),
      dueDate: faker.date.future(),
      currencyCode: 'RSD',
      subtotal: 50000,
      taxAmount: 10000,
      totalAmount: 60000,
      baseAmount: 60000,
      status: 'draft',
      ...overrides,
    },
  });
}

Usage:

const invoice = await createInvoice({ status: 'paid' });

Coverage Reporting

Generate Coverage Report

npm run test:unit -- --coverage

Output:

File             | % Stmts | % Branch | % Funcs | % Lines
-----------------|---------|----------|---------|--------
All files        |   82.5  |   75.3   |   80.1  |  82.5
 vat.ts          |   95.0  |   90.0   |  100.0  |  95.0
 invoice.ts      |   88.2  |   80.5   |   85.0  |  88.2
 currency.ts     |   78.0  |   70.0   |   75.0  |  78.0

Coverage Thresholds (CI)

Fail build if coverage drops below threshold:

// vitest.config.ts
export default defineConfig({
  test: {
    coverage: {
      provider: 'c8',
      reporter: ['text', 'json', 'html'],
      statements: 80,
      branches: 75,
      functions: 80,
      lines: 80,
    },
  },
});

Testing Best Practices

1. Test Behavior, Not Implementation

Bad: Test internal state

it('sets status to paid', () => {
  invoice.status = 'paid';
  expect(invoice.status).toBe('paid');
});

Good: Test observable behavior

it('marks invoice as paid', async () => {
  await invoiceService.markAsPaid(invoice.id);
  const updated = await prisma.invoice.findUnique({ where: { id: invoice.id } });
  expect(updated.status).toBe('paid');
  expect(updated.paidAt).toBeTruthy();
});

2. Use Descriptive Test Names

Bad: Vague test name

it('works', () => { /* ... */ });

Good: Descriptive test name

it('calculates Serbian VAT at 20% on €100 as €20', () => { /* ... */ });

3. Arrange-Act-Assert (AAA)

it('creates invoice with correct totals', async () => {
  // ARRANGE — Set up test data
  const customer = await createCustomer();
  const invoiceData = { customerId: customer.id, items: [...] };

  // ACT — Perform action
  const invoice = await invoiceService.create(invoiceData);

  // ASSERT — Verify outcome
  expect(invoice.subtotal).toBe(50000);
  expect(invoice.taxAmount).toBe(10000);
  expect(invoice.totalAmount).toBe(60000);
});

4. Test Edge Cases

Always test:

5. Avoid Test Interdependence

Bad: Tests depend on each other

let invoiceId;

it('creates invoice', async () => {
  const invoice = await createInvoice();
  invoiceId = invoice.id; // Shared state
});

it('updates invoice', async () => {
  await updateInvoice(invoiceId); // Depends on previous test
});

Good: Tests are independent

it('creates invoice', async () => {
  const invoice = await createInvoice();
  expect(invoice.id).toBeTruthy();
});

it('updates invoice', async () => {
  const invoice = await createInvoice(); // Create fresh data
  await updateInvoice(invoice.id);
});

CI/CD Integration

Tests run automatically on every push (GitHub Actions):

# .github/workflows/main.yml
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - run: npm run test:unit -- --coverage
      - run: npm run test:integration
      - run: npm run test:e2e

flowchart LR
    GIT["git push"] --> GHA["GitHub Actions"]

    GHA --> PARALLEL["Parallel Jobs"]

    PARALLEL --> U["unit-tests<br/>vitest run<br/>@bilko/core<br/>~30s"]
    PARALLEL --> I["integration-tests<br/>supertest<br/>postgres:15<br/>~2min"]
    PARALLEL --> E["e2e-tests<br/>playwright<br/>all browsers<br/>~5min"]

    U --> COV{"Coverage<br/>>80%?"}
    I --> API{"All API<br/>tests pass?"}
    E --> E2E{"All flows<br/>pass?"}

    COV -->|Pass| GATE["Merge Gate"]
    API -->|Pass| GATE
    E2E -->|Pass| GATE

    COV -->|Fail| BLOCK1["Block PR"]
    API -->|Fail| BLOCK1
    E2E -->|Fail| BLOCK1

    GATE --> MAIN["Merge to main"]
    MAIN --> DEPLOY["Deploy to Staging"]

    style GIT fill:#6c757d,color:#fff
    style MAIN fill:#198754,color:#fff
    style BLOCK1 fill:#dc3545,color:#fff
    style DEPLOY fill:#0d6efd,color:#fff

See CI-CD.md for full pipeline.

Debugging Tests

Unit/Integration Tests (Vitest)

# Debug mode (pause on debugger statement)
npm run test:unit -- --inspect-brk

# VS Code launch.json:
{
  "type": "node",
  "request": "launch",
  "name": "Debug Vitest",
  "runtimeExecutable": "npm",
  "runtimeArgs": ["run", "test:unit", "--", "--inspect-brk"],
  "console": "integratedTerminal"
}

E2E Tests (Playwright)

# Debug mode (opens inspector)
npm run test:e2e -- --debug

# Headed mode (see browser)
npm run test:e2e -- --headed

# Trace viewer (after failure)
npx playwright show-trace trace.zip

Performance Testing (Future)

Load Testing (k6)

Test API under load:

// apps/e2e/load/invoices.js
import http from 'k6/http';
import { check } from 'k6';

export let options = {
  vus: 100, // 100 virtual users
  duration: '30s',
};

export default function () {
  const res = http.get('http://localhost:4000/api/v1/invoices');
  check(res, { 'status is 200': (r) => r.status === 200 });
}

Run:

k6 run apps/e2e/load/invoices.js

Target: API handles 1,000 requests/second with <200ms p95 latency.

Status: PLANNED (Phase 2)

Last Updated: 2026-02-20 Status: NO TESTS EXIST YET — Implement tests during backend development Coverage Target: >80% overall, >95% for financial logic

Testing & QA

Test Inventory

Bilko — Test Inventory

Status: NO TESTS EXIST YET — This document tracks planned tests and implementation status.

This inventory catalogs all tests planned for Bilko, organized by category and priority.

Test Coverage Summary

Category Total Planned Implemented Coverage Target
Unit Tests 45 0 >80%
Integration Tests 35 0 >80%
E2E Tests 12 0 Critical flows
TOTAL 92 0 
graph TD
    subgraph COVERAGE["Test Coverage Matrix — 92 Tests Planned"]
        subgraph UNIT["Unit Tests — 45"]
            FIN["Financial Calculations<br/>12 tests — P0<br/>VAT, invoice totals, precision"]
            DE["Double-Entry Validation<br/>6 tests — P0<br/>debit=credit enforcement"]
            CUR["Currency Conversion<br/>8 tests — P0<br/>exchange rate locking"]
            DATE["Date Utilities<br/>6 tests — P1<br/>due dates, fiscal year"]
            FMT["Number Formatting<br/>5 tests — P1<br/>RSD, EUR, BAM display"]
            AUTH_U["Authentication Utils<br/>8 tests — P0<br/>bcrypt, JWT, tokens"]
        end

        subgraph INTEG["Integration Tests — 35"]
            AUTH_API["Auth API<br/>10 tests — P0<br/>register/login/refresh/logout"]
            INV_API["Invoices API<br/>10 tests — P0<br/>CRUD + status + org-scope"]
            EXP_API["Expenses API<br/>8 tests — P1<br/>CRUD + approve/pay"]
            REP_API["Reports API<br/>7 tests — P1<br/>P&L / BS / VAT reports"]
        end

        subgraph E2E_["E2E Tests — 12"]
            INV_E2E["Invoice Flow<br/>4 tests — P0<br/>Create → Send → Paid"]
            EXP_E2E["Expense Flow<br/>3 tests — P1<br/>Add → Approve → Pay"]
            REP_E2E["Report Flow<br/>2 tests — P1<br/>Generate → Export PDF"]
            SET_E2E["Settings Flow<br/>2 tests — P2<br/>Org settings + Invite user"]
            AUTH_E2E["Auth Flow<br/>1 test — P1<br/>Register → Login → 2FA → Logout"]
        end
    end

    style FIN fill:#dc3545,color:#fff
    style DE fill:#dc3545,color:#fff
    style CUR fill:#dc3545,color:#fff
    style AUTH_U fill:#dc3545,color:#fff
    style AUTH_API fill:#dc3545,color:#fff
    style INV_API fill:#dc3545,color:#fff
    style INV_E2E fill:#dc3545,color:#fff
    style DATE fill:#fd7e14,color:#fff
    style FMT fill:#fd7e14,color:#fff
    style EXP_API fill:#fd7e14,color:#fff
    style REP_API fill:#fd7e14,color:#fff
    style EXP_E2E fill:#fd7e14,color:#fff
    style REP_E2E fill:#fd7e14,color:#fff
    style AUTH_E2E fill:#fd7e14,color:#fff
    style SET_E2E fill:#6c757d,color:#fff

Priority Legend

Unit Tests (45 total)

Financial Calculations (12 tests)

Test File Test Name What It Tests Priority Status
vat.test.ts calculateVAT - Serbia 20% VAT calculation for Serbia P0 ❌ Not implemented
vat.test.ts calculateVAT - BiH 17% VAT calculation for BiH P0 ❌ Not implemented
vat.test.ts calculateVAT - Croatia 25% VAT calculation for Croatia P0 ❌ Not implemented
vat.test.ts calculateVAT - zero rate VAT at 0% (exports) P0 ❌ Not implemented
vat.test.ts calculateVAT - decimal amounts VAT on €123.45 P0 ❌ Not implemented
vat.test.ts calculateVAT - rounding Rounds to 2 decimal places P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - subtotal Sum of line items P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - tax Sum of tax amounts P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - discount Subtract discount from subtotal P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - total Subtotal + tax - discount P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - multi-item Multiple line items with different tax rates P0 ❌ Not implemented
invoice-calc.test.ts calculateInvoiceTotal - precision NUMERIC(19,4) precision maintained P0 ❌ Not implemented

Double-Entry Validation (6 tests)

Test File Test Name What It Tests Priority Status
double-entry.test.ts validateTransaction - debit equals credit Debit amount = Credit amount P0 ❌ Not implemented
double-entry.test.ts validateTransaction - rejects unbalanced Throws error if debit ≠ credit P0 ❌ Not implemented
double-entry.test.ts validateTransaction - requires both accounts Throws if missing debit or credit account P0 ❌ Not implemented
double-entry.test.ts validateTransaction - multi-currency Validates amounts in base currency P0 ❌ Not implemented
double-entry.test.ts validateTransaction - precision NUMERIC precision preserved P0 ❌ Not implemented
double-entry.test.ts validateTransaction - zero amount Rejects zero-amount transactions P1 ❌ Not implemented

Currency Conversion (8 tests)

Test File Test Name What It Tests Priority Status
currency.test.ts convertCurrency - EUR to RSD Convert at locked exchange rate P0 ❌ Not implemented
currency.test.ts convertCurrency - RSD to EUR Reverse conversion P0 ❌ Not implemented
currency.test.ts convertCurrency - same currency Rate = 1.0 when currency matches P0 ❌ Not implemented
currency.test.ts convertCurrency - precision NUMERIC(19,4) preserved P0 ❌ Not implemented
currency.test.ts convertCurrency - large amounts €999,999,999.9999 P0 ❌ Not implemented
currency.test.ts convertCurrency - rounding Rounds to 4 decimal places P1 ❌ Not implemented
currency.test.ts lockExchangeRate - historical rate Uses rate from transaction date, not today P0 ❌ Not implemented
currency.test.ts lockExchangeRate - missing rate Throws if no rate available for date P1 ❌ Not implemented

Date Utilities (6 tests)

Test File Test Name What It Tests Priority Status
date.test.ts calculateDueDate - 30 days Invoice date + 30 days P1 ❌ Not implemented
date.test.ts calculateDueDate - custom terms Invoice date + custom days P1 ❌ Not implemented
date.test.ts isOverdue - past due date Returns true if today > due date P1 ❌ Not implemented
date.test.ts isOverdue - not overdue Returns false if today <= due date P1 ❌ Not implemented
date.test.ts getFiscalYear - starts Jan 1 Fiscal year 2026 = Jan 1 - Dec 31 P2 ❌ Not implemented
date.test.ts getFiscalYear - custom start Fiscal year starts on custom date P2 ❌ Not implemented

Number Formatting (5 tests)

Test File Test Name What It Tests Priority Status
format.test.ts formatCurrency - RSD "50,000.00 RSD" format P1 ❌ Not implemented
format.test.ts formatCurrency - EUR "€50,000.00" format P1 ❌ Not implemented
format.test.ts formatCurrency - BAM "50,000.00 BAM" format P1 ❌ Not implemented
format.test.ts formatCurrency - decimal places Respects currency decimal places (0-4) P1 ❌ Not implemented
format.test.ts formatCurrency - null Returns "-" for null/undefined P2 ❌ Not implemented

Authentication (8 tests)

Test File Test Name What It Tests Priority Status
auth.test.ts hashPassword - bcrypt 12 rounds Password hashed with bcrypt P0 ❌ Not implemented
auth.test.ts hashPassword - unique salt Each hash is different P0 ❌ Not implemented
auth.test.ts verifyPassword - correct password Returns true for correct password P0 ❌ Not implemented
auth.test.ts verifyPassword - incorrect password Returns false for wrong password P0 ❌ Not implemented
auth.test.ts generateJWT - valid payload JWT contains user ID, org ID, role P0 ❌ Not implemented
auth.test.ts generateJWT - expiry 15 min Access token expires in 15 min P0 ❌ Not implemented
auth.test.ts generateRefreshToken - expiry 7 days Refresh token expires in 7 days P0 ❌ Not implemented
auth.test.ts verifyJWT - expired token Throws error if token expired P1 ❌ Not implemented

Integration Tests (35 total)

Auth API (10 tests)

Test File Test Name What It Tests Priority Status
auth-api.test.ts POST /auth/register - success Creates user, returns 201 P0 ❌ Not implemented
auth-api.test.ts POST /auth/register - duplicate email Returns 400 if email exists P0 ❌ Not implemented
auth-api.test.ts POST /auth/register - weak password Returns 400 if password < 8 chars P0 ❌ Not implemented
auth-api.test.ts POST /auth/login - success Returns access + refresh tokens P0 ❌ Not implemented
auth-api.test.ts POST /auth/login - wrong password Returns 401 P0 ❌ Not implemented
auth-api.test.ts POST /auth/login - non-existent user Returns 401 P0 ❌ Not implemented
auth-api.test.ts POST /auth/refresh - success Returns new access token P0 ❌ Not implemented
auth-api.test.ts POST /auth/refresh - expired token Returns 401 P1 ❌ Not implemented
auth-api.test.ts POST /auth/logout - success Deletes refresh token from DB P1 ❌ Not implemented
auth-api.test.ts POST /auth/logout - already logged out Returns 204 (idempotent) P2 ❌ Not implemented

Invoices API (10 tests)

Test File Test Name What It Tests Priority Status
invoices-api.test.ts POST /invoices - success Creates invoice, returns 201 P0 ❌ Not implemented
invoices-api.test.ts POST /invoices - validates required fields Returns 400 if missing customer P0 ❌ Not implemented
invoices-api.test.ts POST /invoices - validates currency Returns 400 if invalid currency code P0 ❌ Not implemented
invoices-api.test.ts POST /invoices - org scoping Returns 403 if customer in different org P0 ❌ Not implemented
invoices-api.test.ts GET /invoices - list Returns paginated invoices P0 ❌ Not implemented
invoices-api.test.ts GET /invoices - filter by status Returns only "paid" invoices P1 ❌ Not implemented
invoices-api.test.ts GET /invoices/:id - success Returns invoice by ID P0 ❌ Not implemented
invoices-api.test.ts GET /invoices/:id - not found Returns 404 if ID doesn't exist P1 ❌ Not implemented
invoices-api.test.ts PATCH /invoices/:id - update status Changes status to "sent" P0 ❌ Not implemented
invoices-api.test.ts DELETE /invoices/:id - soft delete Marks as deleted (not hard delete) P1 ❌ Not implemented

Expenses API (8 tests)

Test File Test Name What It Tests Priority Status
expenses-api.test.ts POST /expenses - success Creates expense, returns 201 P0 ❌ Not implemented
expenses-api.test.ts POST /expenses - validates required fields Returns 400 if missing amount P0 ❌ Not implemented
expenses-api.test.ts POST /expenses - org scoping Returns 403 if vendor in different org P0 ❌ Not implemented
expenses-api.test.ts GET /expenses - list Returns paginated expenses P0 ❌ Not implemented
expenses-api.test.ts PATCH /expenses/:id/approve - success Changes status to "approved" P1 ❌ Not implemented
expenses-api.test.ts PATCH /expenses/:id/approve - requires admin Returns 403 if user is viewer P1 ❌ Not implemented
expenses-api.test.ts PATCH /expenses/:id/reject - success Changes status to "rejected" P1 ❌ Not implemented
expenses-api.test.ts DELETE /expenses/:id - soft delete Marks as deleted P1 ❌ Not implemented

Reports API (7 tests)

Test File Test Name What It Tests Priority Status
reports-api.test.ts GET /reports/profit-loss - success Returns P&L with revenue, expenses, net P1 ❌ Not implemented
reports-api.test.ts GET /reports/profit-loss - date range Filters by start/end date P1 ❌ Not implemented
reports-api.test.ts GET /reports/balance-sheet - success Returns assets, liabilities, equity P1 ❌ Not implemented
reports-api.test.ts GET /reports/cash-flow - success Returns operating, investing, financing P1 ❌ Not implemented
reports-api.test.ts GET /reports/vat - success Returns sales VAT, purchase VAT, net VAT P1 ❌ Not implemented
reports-api.test.ts GET /reports/vat - Serbia 20% Calculates Serbian VAT correctly P1 ❌ Not implemented
reports-api.test.ts GET /reports/vat - export PDF Returns PDF file P2 ❌ Not implemented

E2E Tests (12 total)

Invoice Flow (4 tests)

Test File Test Name What It Tests Priority Status
invoice-flow.spec.ts Create invoice via 6-step wizard Full invoice creation flow P0 ❌ Not implemented
invoice-flow.spec.ts Preview invoice before sending Preview modal shows correct totals P0 ❌ Not implemented
invoice-flow.spec.ts Send invoice to customer Email sent, status changed to "sent" P0 ❌ Not implemented
invoice-flow.spec.ts Mark invoice as paid Status changed to "paid", paidAt timestamp P0 ❌ Not implemented

Expense Flow (3 tests)

Test File Test Name What It Tests Priority Status
expense-flow.spec.ts Add expense with receipt upload Create expense, upload JPG P1 ❌ Not implemented
expense-flow.spec.ts Approve expense Admin approves, status changed P1 ❌ Not implemented
expense-flow.spec.ts Mark expense as paid Status changed to "paid" P1 ❌ Not implemented

Report Flow (2 tests)

Test File Test Name What It Tests Priority Status
report-flow.spec.ts Generate P&L report Select date range, view report P1 ❌ Not implemented
report-flow.spec.ts Export P&L to PDF Download PDF file P1 ❌ Not implemented

Settings Flow (2 tests)

Test File Test Name What It Tests Priority Status
settings-flow.spec.ts Update organization settings Change org name, tax settings P2 ❌ Not implemented
settings-flow.spec.ts Invite user to organization Send invite email, user accepts P2 ❌ Not implemented

Auth Flow (1 test)

Test File Test Name What It Tests Priority Status
auth-flow.spec.ts Register → Login → 2FA → Logout Full auth flow with 2FA P1 ❌ Not implemented

Critical Path Testing Flow

flowchart TD
    START(["Start: No Tests"]) --> P1

    subgraph P1["Phase 1 — MVP Critical (25 tests)"]
        P1_FIN["Financial Calculations<br/>12 unit tests<br/>VAT RS/BA/HR, invoice totals"]
        P1_DE["Double-Entry Validation<br/>6 unit tests<br/>debit=credit, balanced=true"]
        P1_AUTH["Auth API<br/>7 integration tests<br/>register, login, refresh"]
        P1_FIN --> P1_DE --> P1_AUTH
    end

    P1 --> P1_GATE{"Coverage<br/>>=50%?"}
    P1_GATE -->|Yes| P2
    P1_GATE -->|No| P1

    subgraph P2["Phase 2 — Core Features (35 tests)"]
        P2_CUR["Currency Conversion<br/>8 unit tests"]
        P2_INV["Invoices API<br/>10 integration tests"]
        P2_E2E["Invoice + Auth + Expense E2E<br/>8 E2E tests"]
        P2_REP["Reports API<br/>7 integration tests"]
        P2_CUR --> P2_INV --> P2_E2E --> P2_REP
    end

    P2 --> P2_GATE{"Coverage<br/>>=70%?"}
    P2_GATE -->|Yes| P3
    P2_GATE -->|No| P2

    subgraph P3["Phase 3 — Polish (32 tests)"]
        P3_DATE["Date + Formatting<br/>11 unit tests"]
        P3_EXP["Expenses API<br/>8 integration tests"]
        P3_EDGE["Edge cases<br/>8 tests"]
        P3_SET["Settings flow<br/>5 tests"]
        P3_DATE --> P3_EXP --> P3_EDGE --> P3_SET
    end

    P3 --> DONE(["Production Ready<br/>>80% coverage<br/>All critical paths tested"])

    style START fill:#6c757d,color:#fff
    style DONE fill:#198754,color:#fff
    style P1_GATE fill:#ffc107,stroke:#e0a800
    style P2_GATE fill:#ffc107,stroke:#e0a800

Test Implementation Roadmap

Phase 1 (MVP Critical) — 25 tests

Target: Before backend MVP launch

Phase 2 (Core Features) — 35 tests

Target: 1 month after MVP launch

Phase 3 (Polish) — 32 tests

Target: 3 months after MVP launch

Test Execution Commands

Run All Tests

npm run test        # All tests (unit + integration + E2E)

Run by Category

npm run test:unit           # Unit tests only
npm run test:integration    # Integration tests only
npm run test:e2e            # E2E tests only

Run Specific Test File

npm run test:unit -- vat.test.ts
npm run test:integration -- invoices-api.test.ts
npm run test:e2e -- invoice-flow.spec.ts

Run with Coverage

npm run test:unit -- --coverage

Watch Mode

npm run test:unit -- --watch

Coverage Tracking

Current Coverage (as of 2026-02-20)

Category Coverage Target Status
Financial Logic 0% >95% ❌ Not started
API Endpoints 0% >80% ❌ Not started
Utilities 0% >90% ❌ Not started
Overall 0% >80% ❌ Not started

Next Milestone: 50% coverage (25 critical tests)

Last Updated: 2026-02-20 Status: NO TESTS IMPLEMENTED YET Total Tests Planned: 92 (45 unit + 35 integration + 12 E2E) Next Action: Implement Phase 1 financial calculation tests (12 tests)

Infrastructure & DevOps

Infrastructure & DevOps

Deployment Guide

Bilko Deployment Guide

Last Updated: 2026-04-16
Current State: Stable Cloud Run deployment with custom domain provisioning

GCP Project Configuration

Secret Manager

Secret NameVersionPurpose
bilko-cors-originsv2Comma-separated list of allowed CORS origins
bilko-database-urllatestCloud SQL connection string (password reset 2026-04-16)
bilko-jwt-refresh-secretlatestJWT refresh token secret

CORS Parsing: Secret bilko-cors-origins is parsed by comma in apps/api/src/app.ts:61

Environment Variables

bilko-web

bilko-api

Custom Domain Setup

Current Domain

Domain Verification Constraint

Critical: Only alai.no is verified in GCP Search Console (via dev@alai.no).
basicconsulting.no is NOT verified. All custom domains MUST use *.alai.no subdomains until basicconsulting.no is verified.

Custom Domain Runbook

Prerequisites

  1. Domain must be verified in Google Search Console by the GCP account owner
  2. DNS provider access (one.com for alai.no, Vercel for basicconsulting.no)
  3. gcloud CLI authenticated: gcloud auth login

Step-by-Step

1. Create Domain Mapping

gcloud beta run domain-mappings create \
  --service=bilko-web \
  --domain=bilko-demo.alai.no \
  --region=europe-north1 \
  --project=tribal-sign-487920-k0

2. Configure DNS

Add CNAME record at DNS provider:

Type: CNAME
Host: bilko-demo
Value: ghs.googlehosted.com.
TTL: 3600

3. Wait for Certificate Provisioning

gcloud beta run domain-mappings describe bilko-demo.alai.no \
  --region=europe-north1 \
  --project=tribal-sign-487920-k0

Look for status.conditions → CertificateProvisioned: True

4. Update CORS Allowed Origins

# Get current value
gcloud secrets versions access latest --secret=bilko-cors-origins

# Add new domain
echo "https://bilko-demo.alai.no,https://bilko-web-dh4m46blja-lz.a.run.app" | \
  gcloud secrets versions add bilko-cors-origins --data-file=-

5. Deploy New Revision

gcloud run services update-traffic bilko-api \
  --to-latest \
  --region=europe-north1 \
  --project=tribal-sign-487920-k0

6. Verify CORS Preflight

curl -sSI -X OPTIONS \
  https://bilko-api-dh4m46blja-lz.a.run.app/api/v1/auth/login \
  -H "Origin: https://bilko-demo.alai.no" \
  -H "Access-Control-Request-Method: POST"

Expected: HTTP 204 with Access-Control-Allow-Origin: https://bilko-demo.alai.no

GitHub Actions CI/CD

Deployment Steps

  1. Authenticate via WIF
  2. Build Docker images (api + web)
  3. Push to Google Container Registry
  4. Deploy to Cloud Run (europe-north1)
  5. Run smoke tests (Playwright E2E)

Testing

Backend Tests

End-to-End Tests

Recent Fixes (2026-04-16)

Commits

Key Changes

  1. Service Naming: Production services now named bilko-api and bilko-web (no -staging suffix)
  2. API Enhancements: Invoice list now includes currency, new profile settings endpoint
  3. Frontend Fixes: Accessibility improvements (ARIA), avatar initials when no image, visual polish

Rollback Procedure

Rollback to Previous Revision

# List revisions
gcloud run revisions list --service=bilko-api --region=europe-north1

# Rollback
gcloud run services update-traffic bilko-api \
  --to-revisions=bilko-api-00036=100 \
  --region=europe-north1

Rollback via GitHub Actions

git revert HEAD
git push origin main  # Triggers deploy workflow

Troubleshooting

Issue: CORS errors in browser

Cause: Custom domain not in bilko-cors-origins secret
Fix: Update secret (see step 4 in Custom Domain Runbook), deploy new revision

Issue: 502 Bad Gateway

Cause: Service unhealthy or startup timeout
Fix: Check Cloud Run logs: gcloud run services logs read bilko-api --region=europe-north1 --limit=50

Issue: Database connection timeout

Cause: Cloud SQL Proxy misconfiguration or secret outdated
Fix: Verify bilko-database-url secret, check Cloud SQL instance status

Issue: Custom domain SSL pending

Cause: DNS not propagated or domain not verified in Search Console
Fix: Wait 15-30 min after DNS change, verify domain ownership in Search Console

Architecture Diagram

┌─────────────────┐
│  one.com DNS    │
│  bilko-demo.    │
│  alai.no        │
└────────┬────────┘
         │ CNAME
         ▼
┌─────────────────────────────┐
│  ghs.googlehosted.com       │
│  (Google Cloud Load Balancer)│
└────────┬────────────────────┘
         │
         ▼
┌─────────────────────────────┐       ┌──────────────────┐
│  bilko-web (Cloud Run)      │──────▶│  bilko-api       │
│  Next.js 15 + React 19      │  HTTP │  Express + TS    │
│  europe-north1              │       │  europe-north1   │
└─────────────────────────────┘       └────────┬─────────┘
                                               │
                                               ▼
                                      ┌─────────────────┐
                                      │  Cloud SQL      │
                                      │  PostgreSQL 16  │
                                      │  europe-north1  │
                                      └─────────────────┘
Infrastructure & DevOps

CI/CD Pipeline

Bilko — CI/CD Pipeline

Status: PLANNED (GitHub Actions workflows not yet configured)

This document describes the target continuous integration and deployment pipeline for Bilko.

Overview

Bilko uses GitHub Actions for CI/CD automation:

Why GitHub Actions?

Pipeline Overview

flowchart TD
    PUSH(["git push / PR opened"])
    TRIGGER{{"Branch?"}}

    subgraph PARALLEL["Stage 1 — Parallel Quality Checks"]
        LINT["Lint\nESLint + Prettier\n<2 min"]
        TC["Type Check\nTypeScript strict\n<2 min"]
        UT["Unit Tests\nVitest + coverage\n<3 min"]
        IT["Integration Tests\nSupertest + real PG\n<5 min"]
    end

    BUILD["Build (Turborepo)\napps/web → .next\napps/api → dist\n<4 min"]

    subgraph E2E_BLOCK["Stage 3 — E2E Tests"]
        VP["Wait for Vercel\nPreview URL"]
        E2E["Playwright E2E\nChromium + Firefox + WebKit\n<8 min"]
    end

    subgraph DEPLOY["Stage 4 — Deploy (main only)"]
        DF["Deploy Frontend\nVercel Production\nbilko.io"]
        DB["Deploy Backend\nRailway Production\napi.bilko.io"]
        MIGRATE["DB Migrations\nnpx prisma migrate deploy"]
    end

    NOTIFY["Slack Notification\n#bilko-deploys"]

    PUSH --> TRIGGER
    TRIGGER -->|"PR"| PARALLEL
    TRIGGER -->|"main"| PARALLEL
    PARALLEL --> BUILD
    BUILD --> E2E_BLOCK
    VP --> E2E
    E2E_BLOCK --> DEPLOY
    DEPLOY --> NOTIFY

    LINT & TC & UT & IT -->|"All pass"| BUILD

Pipeline Stages

1. Code Quality (Parallel)

ESLint + Prettier

- name: Lint
  run: npm run lint

Checks:

Fail Conditions:

TypeScript Type Check

- name: Type Check
  run: npm run type-check

Checks:

Fail Conditions:

2. Unit Tests (Vitest)

- name: Unit Tests
  run: npm run test:unit

Coverage Requirements:

Test Types:

Fail Conditions:

3. Integration Tests (Supertest)

- name: Integration Tests
  run: npm run test:integration
  env:
    DATABASE_URL: ${{ secrets.TEST_DATABASE_URL }}

Setup:

Test Types:

Fail Conditions:

Job Dependency Graph

graph LR
    LINT["lint"]
    TC["type-check"]
    UT["unit-tests"]
    IT["integration-tests"]
    BUILD["build\nneeds: lint, type-check,\nunit-tests, integration-tests"]
    E2E["e2e-tests\nneeds: build"]
    DF["deploy-frontend\nneeds: build, e2e-tests\nif: main branch"]
    DB_JOB["deploy-backend\nneeds: build, e2e-tests\nif: main branch"]

    LINT --> BUILD
    TC --> BUILD
    UT --> BUILD
    IT --> BUILD
    BUILD --> E2E
    E2E --> DF
    E2E --> DB_JOB

4. Build (Turborepo)

- name: Build
  run: npm run build

Build Targets:

Fail Conditions:

Artifacts:

5. E2E Tests (Playwright)

- name: E2E Tests
  run: npm run test:e2e
  env:
    PLAYWRIGHT_BASE_URL: ${{ env.PREVIEW_URL }}

Setup:

Test Scenarios:

Browsers:

Fail Conditions:

6. Deploy

Frontend (Vercel)

- name: Deploy Frontend
  uses: vercel/action@v1
  with:
    vercel-token: ${{ secrets.VERCEL_TOKEN }}
    vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
    vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
    production: ${{ github.ref == 'refs/heads/main' }}

Deployment Strategy:

Rollback:

Backend (Railway)

- name: Deploy Backend
  uses: railway-app/action@v1
  with:
    railway-token: ${{ secrets.RAILWAY_TOKEN }}
    service: api
    environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}

Pre-Deploy:

  1. Run database migrations: npx prisma migrate deploy
  2. Health check on current deployment

Deployment Strategy:

Rollback:

Workflow Files

Main Workflow (.github/workflows/main.yml)

name: CI/CD Pipeline

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npm run lint

  type-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npm run type-check

  unit-tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npm run test:unit -- --coverage
      - uses: codecov/codecov-action@v3
        with:
          files: ./coverage/coverage-final.json

  integration-tests:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:15
        env:
          POSTGRES_USER: bilko_test
          POSTGRES_PASSWORD: bilko_test
          POSTGRES_DB: bilko_test
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npx prisma migrate deploy
        env:
          DATABASE_URL: postgresql://bilko_test:bilko_test@localhost:5432/bilko_test
      - run: npm run test:integration
        env:
          DATABASE_URL: postgresql://bilko_test:bilko_test@localhost:5432/bilko_test

  build:
    needs: [lint, type-check, unit-tests, integration-tests]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npm run build
      - uses: actions/upload-artifact@v3
        with:
          name: build-artifacts
          path: |
            apps/web/.next
            apps/api/dist

  e2e-tests:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npx playwright install --with-deps
      - name: Wait for Vercel Preview
        uses: patrickedqvist/wait-for-vercel-preview@v1.3.1
        id: vercel-preview
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          max_timeout: 300
      - run: npm run test:e2e
        env:
          PLAYWRIGHT_BASE_URL: ${{ steps.vercel-preview.outputs.url }}
      - uses: actions/upload-artifact@v3
        if: failure()
        with:
          name: playwright-screenshots
          path: test-results/

  deploy-frontend:
    needs: [build, e2e-tests]
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: vercel/action@v1
        with:
          vercel-token: ${{ secrets.VERCEL_TOKEN }}
          vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
          vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
          production: true

  deploy-backend:
    needs: [build, e2e-tests]
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: railway-app/action@v1
        with:
          railway-token: ${{ secrets.RAILWAY_TOKEN }}
          service: api
          environment: production

Hotfix Workflow (.github/workflows/hotfix.yml)

Fast-track workflow for urgent production fixes (bypasses full pipeline):

name: Hotfix Deploy

on:
  workflow_dispatch:
    inputs:
      reason:
        description: 'Reason for hotfix'
        required: true

jobs:
  hotfix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - run: npm ci
      - run: npm run lint
      - run: npm run type-check
      - run: npm run build
      - uses: vercel/action@v1
        with:
          vercel-token: ${{ secrets.VERCEL_TOKEN }}
          vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
          vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
          production: true
      - uses: railway-app/action@v1
        with:
          railway-token: ${{ secrets.RAILWAY_TOKEN }}
          service: api
          environment: production
      - name: Notify Team
        uses: slackapi/slack-github-action@v1.24.0
        with:
          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
          payload: |
            {
              "text": "🚨 Hotfix deployed: ${{ github.event.inputs.reason }}"
            }

Secrets Configuration

GitHub repository secrets (Settings → Secrets and variables → Actions):

Secret Name Description How to Generate
VERCEL_TOKEN Vercel deployment token Vercel Dashboard → Settings → Tokens
VERCEL_PROJECT_ID Vercel project ID vercel link output
VERCEL_ORG_ID Vercel organization ID vercel link output
RAILWAY_TOKEN Railway deployment token Railway Dashboard → Settings → Tokens
TEST_DATABASE_URL PostgreSQL test DB URL Use GitHub Actions service
SLACK_WEBHOOK Slack notification webhook Slack → Apps → Incoming Webhooks

Branch Protection Rules

Configure on GitHub (Settings → Branches → Branch protection rules for main):

Performance Targets

Pipeline Duration

Optimization Strategies

Failure Handling

Failure & Rollback Flow

flowchart TD
    FAIL(["Pipeline Failure"])
    WHERE{{"Failed\nStage?"}}

    BLOCK_PR["PR Blocked\nLogs in GitHub Actions UI\nArtifacts uploaded"]
    FIX_CODE["Fix code\nPush new commit"]

    HEALTH{{"Health check\npasses?"}}
    AUTO_ROLL["Automatic Rollback\nPrevious deployment promoted"]
    SLACK_ALERT["Slack Alert\n#bilko-deploys"]
    MANUAL["Manual Investigation\nRailway / Vercel logs"]

    FLAKY{{"Flaky\nE2E test?"}}
    RETRY["Playwright retry\n(retries: 1)"]
    CRITICAL["Mark critical\nCreate GitHub issue"]

    FAIL --> WHERE
    WHERE -->|"Quality / Tests"| BLOCK_PR --> FIX_CODE
    WHERE -->|"Deploy"| HEALTH
    WHERE -->|"E2E"| FLAKY

    HEALTH -->|No| AUTO_ROLL --> SLACK_ALERT
    HEALTH -->|Yes| MANUAL

    FLAKY -->|Yes| RETRY
    RETRY -->|Still fails| CRITICAL
    FLAKY -->|No| BLOCK_PR

Test Failures

  1. Pipeline stops immediately (fail-fast)
  2. Logs available in GitHub Actions UI
  3. Artifacts uploaded (screenshots, coverage reports)
  4. PR blocked until fixed

Deployment Failures

  1. Automatic rollback to previous version
  2. Slack notification to team
  3. Health check endpoint monitored
  4. Manual intervention if health check fails

Flaky Tests

Monitoring & Notifications

Slack Notifications

Notify on:

Email Notifications

GitHub Actions built-in:

Local Testing

Developers can run the full pipeline locally before pushing:

# Lint
npm run lint

# Type check
npm run type-check

# Unit tests with coverage
npm run test:unit -- --coverage

# Integration tests (requires local PostgreSQL)
npm run test:integration

# Build
npm run build

# E2E tests (requires build)
npm run test:e2e

Pre-commit Hook (Recommended): Install Husky to run lint + type-check before every commit:

npx husky install
npx husky add .husky/pre-commit "npm run lint && npm run type-check"

Future Enhancements

Security Scanning

Performance Testing

Database Migration Testing

Last Updated: 2026-02-20 Status: PLANNED — No GitHub Actions workflows configured yet Next Steps: Create .github/workflows/main.yml, configure secrets, test on staging branch

Infrastructure & DevOps

Environment Configuration

Bilko — Development Environment Setup

This guide walks through setting up a local development environment for Bilko.

Environment Configuration Overview

graph TD
    subgraph DEV["Development Environment"]
        D_ENV["apps/api/.env\napps/web/.env.local"]
        D_PG["PostgreSQL 15\nlocalhost:5432\nbilko_dev"]
        D_WEB["Next.js\nlocalhost:3000"]
        D_API["Express\nlocalhost:4000"]
        D_PRISMA["Prisma Studio\nlocalhost:5555"]
    end

    subgraph STAGING["Staging / Preview"]
        S_SECRETS["Railway Dashboard Env Vars\n(staging environment)"]
        S_VERCEL["Vercel Preview\nbilko-pr-{n}.vercel.app"]
        S_RAIL["Railway Staging\nbilko-api-staging"]
        S_PG["Railway PostgreSQL\nbilko_staging"]
    end

    subgraph PROD["Production"]
        P_SECRETS["Railway + Vercel\nDashboard Secrets"]
        P_WEB["Vercel Production\nbilko.io"]
        P_API["Railway Production\napi.bilko.io"]
        P_PG["Railway PostgreSQL\nbilko_prod"]
        P_R2["Cloudflare R2\nbilko-receipts"]
    end

    D_ENV --> D_API --> D_PG
    D_ENV --> D_WEB
    D_API --> D_PRISMA

    S_SECRETS --> S_RAIL --> S_PG
    S_SECRETS --> S_VERCEL

    P_SECRETS --> P_API --> P_PG
    P_SECRETS --> P_WEB
    P_API --> P_R2

Prerequisites

Required Software

Software Version Check Command Install
Node.js 18+ node --version https://nodejs.org
npm 9+ npm --version Included with Node.js
PostgreSQL 15+ psql --version https://postgresql.org/download
Git Latest git --version https://git-scm.com

Optional Tools

Tool Purpose Install
Prisma Studio Database GUI npx prisma studio
Postman API testing https://postman.com
VS Code Recommended IDE https://code.visualstudio.com

Installation Steps

1. Clone Repository

git clone https://github.com/your-org/bilko.git
cd bilko

2. Install Dependencies

# Install all workspace dependencies
npm install

This installs dependencies for:

Local Setup Flow

flowchart TD
    CLONE["git clone bilko"]
    INSTALL["npm install\n(Turborepo workspace)"]
    PG{{"PostgreSQL\navailable?"}}
    LOCAL_PG["Create local DB\npsql -U postgres\nCREATE DATABASE bilko_dev"]
    DOCKER_PG["Docker PostgreSQL\npostgres:15\nport 5432"]
    ENV["Configure .env files\napps/api/.env\napps/web/.env.local"]
    MIGRATE["npx prisma migrate dev\n(applies 15 table schema)"]
    GENERATE["npx prisma generate\n(Prisma Client)"]
    SEED["npx prisma db seed\n(demo org + user) — optional"]
    DEV["npm run dev\nlocalhost:3000 + 4000"]

    CLONE --> INSTALL --> PG
    PG -->|"Local install"| LOCAL_PG --> ENV
    PG -->|"Docker"| DOCKER_PG --> ENV
    ENV --> MIGRATE --> GENERATE --> SEED --> DEV

3. Set Up PostgreSQL Database

Option A: Local PostgreSQL Installation

Create database and user:

psql -U postgres

CREATE DATABASE bilko_dev;
CREATE USER bilko WITH PASSWORD 'bilko';
GRANT ALL PRIVILEGES ON DATABASE bilko_dev TO bilko;
\q

Option B: Docker PostgreSQL

docker run --name bilko-postgres \
  -e POSTGRES_USER=bilko \
  -e POSTGRES_PASSWORD=bilko \
  -e POSTGRES_DB=bilko_dev \
  -p 5432:5432 \
  -d postgres:15

4. Configure Environment Variables

apps/api/.env

Create .env file in apps/api/ directory:

# Database
DATABASE_URL=postgresql://bilko:bilko@localhost:5432/bilko_dev

# JWT Secrets (use `openssl rand -base64 32` to generate)
JWT_SECRET=your-secret-here-change-in-production
JWT_REFRESH_SECRET=your-refresh-secret-here-change-in-production

# Email (optional for local dev, required for staging/production)
SENDGRID_API_KEY=

# File Storage (optional for local dev)
R2_ACCESS_KEY_ID=
R2_SECRET_ACCESS_KEY=
R2_BUCKET_NAME=bilko-receipts-dev
R2_ENDPOINT=

# App Config
PORT=4000
NODE_ENV=development
ALLOWED_ORIGINS=http://localhost:3000

apps/web/.env.local

Create .env.local file in apps/web/ directory:

# API URL (backend)
NEXT_PUBLIC_API_URL=http://localhost:4000

# App Environment
NEXT_PUBLIC_APP_ENV=development

5. Run Database Migrations

cd packages/database
npx prisma migrate dev
npx prisma generate

This will:

  1. Apply all migrations to bilko_dev database
  2. Create 15 tables from schema.prisma
  3. Generate Prisma Client

6. Seed Database (Optional)

Create seed script: packages/database/prisma/seed.ts

import { PrismaClient } from '@prisma/client';

const prisma = new PrismaClient();

async function main() {
  // Create demo organization
  const org = await prisma.organization.create({
    data: {
      name: 'Demo Company d.o.o.',
      registrationNumber: '12345678',
      vatNumber: 'RS123456789',
      baseCurrency: 'RSD',
      country: 'RS',
      language: 'sr',
    },
  });

  // Create demo user
  await prisma.user.create({
    data: {
      organizationId: org.id,
      email: 'demo@bilko.io',
      passwordHash: '$2b$12$...', // bcrypt hash of "demo123"
      fullName: 'Demo User',
      role: 'owner',
    },
  });

  console.log('✅ Seed data created');
}

main()
  .catch((e) => {
    console.error(e);
    process.exit(1);
  })
  .finally(async () => {
    await prisma.$disconnect();
  });

Run seed:

npx prisma db seed

Running the Application

Start All Services (Recommended)

From root directory:

npm run dev

Turborepo starts:

Start Individual Services

Frontend Only

cd apps/web
npm run dev

Backend Only

cd apps/api
npm run dev

Development Tools

Prisma Studio (Database GUI)

cd packages/database
npx prisma studio

Opens at http://localhost:5555

Features:

Hot Reload

Both frontend and backend support hot reload:

Tech Stack Overview

Frontend (apps/web/)

Technology Version Purpose
Next.js 15.0.0 React framework with SSR
React 19.0.0 UI library
TypeScript 5.3.0 Type safety
Tailwind CSS 4.0.0 Styling
shadcn/ui Latest Component library (Radix UI + Tailwind)
Zustand 4.5.0 State management
Recharts 2.15.0 Charts (revenue, expenses)
Lucide React Latest Icons

Backend (apps/api/)

Technology Version Purpose
Express TBD Web framework
TypeScript 5.3.0 Type safety
Prisma Latest ORM + migrations
PostgreSQL 15+ Database
Passport.js TBD Authentication
Zod TBD Validation
Helmet TBD Security headers
bcrypt TBD Password hashing
jsonwebtoken TBD JWT tokens

Database (packages/database/)

Feature Implementation
ORM Prisma
Database PostgreSQL 15
Models 15 (see schema.prisma)
Migrations Prisma Migrate
Seeding prisma/seed.ts

Common Tasks

Create Database Migration

After modifying schema.prisma:

cd packages/database
npx prisma migrate dev --name describe_your_changes

Reset Database (DEV ONLY)

WARNING: Deletes all data.

cd packages/database
npx prisma migrate reset

Generate Prisma Client

After pulling new migrations:

cd packages/database
npx prisma generate

Run Linter

npm run lint

Runs ESLint + Prettier on all workspaces.

Run Type Check

npm run type-check

Runs TypeScript compiler in --noEmit mode (checks types without building).

Build for Production

npm run build

Builds:

Troubleshooting

Database Connection Errors

Error: Can't reach database server at localhost:5432

Solutions:

  1. Check PostgreSQL is running: pg_isready
  2. Verify credentials in .env
  3. Check port 5432 is not blocked

Port Already in Use

Error: Port 3000 is already in use

Solutions:

  1. Kill process using port: lsof -ti:3000 | xargs kill
  2. Change port: PORT=3001 npm run dev

Prisma Client Not Generated

Error: @prisma/client not found

Solution:

cd packages/database
npx prisma generate

TypeScript Errors After Pulling Changes

Solution:

npm install
npx prisma generate
npm run type-check

Hot Reload Not Working

Solution:

  1. Restart dev server
  2. Clear Next.js cache: rm -rf apps/web/.next
  3. Check file watcher limits (Linux): sysctl fs.inotify.max_user_watches

VS Code Configuration

Create .vscode/extensions.json:

{
  "recommendations": [
    "dbaeumer.vscode-eslint",
    "esbenp.prettier-vscode",
    "bradlc.vscode-tailwindcss",
    "prisma.prisma",
    "ms-vscode.vscode-typescript-next"
  ]
}

Settings

Create .vscode/settings.json:

{
  "editor.formatOnSave": true,
  "editor.defaultFormatter": "esbenp.prettier-vscode",
  "editor.codeActionsOnSave": {
    "source.fixAll.eslint": true
  },
  "typescript.tsdk": "node_modules/typescript/lib",
  "tailwindCSS.experimental.classRegex": [
    ["cva\\(([^)]*)\\)", "[\"'`]([^\"'`]*).*?[\"'`]"]
  ]
}

Secrets Management

flowchart LR
    DEV_SECRET["Developer\n.env file\n(gitignored)"]
    GH_SECRET["GitHub Secrets\nActions → Settings\nVERCEL_TOKEN\nRAILWAY_TOKEN\nTEST_DATABASE_URL\nSLACK_WEBHOOK"]
    VERCEL_ENV["Vercel Dashboard\nEnvironment Variables\nNEXT_PUBLIC_API_URL\nNEXT_PUBLIC_APP_ENV"]
    RAILWAY_ENV["Railway Dashboard\nEnvironment Variables\nDATABASE_URL (auto)\nJWT_SECRET\nJWT_REFRESH_SECRET\nSENDGRID_API_KEY\nR2_ACCESS_KEY_ID\nR2_SECRET_ACCESS_KEY"]

    subgraph NEVERCOMMIT["NEVER commit to git"]
        SECRET_FILE[".env files\nAPI keys\nJWT secrets\nDB passwords"]
    end

    DEV_SECRET -->|"local only"| NEVERCOMMIT
    GH_SECRET -->|"CI/CD pipeline"| VERCEL_ENV
    GH_SECRET -->|"CI/CD pipeline"| RAILWAY_ENV

Environment Variables Reference

apps/api/.env

Variable Required Default Description
DATABASE_URL Yes PostgreSQL connection string
JWT_SECRET Yes Access token secret (32+ chars)
JWT_REFRESH_SECRET Yes Refresh token secret (32+ chars)
SENDGRID_API_KEY No SendGrid API key (emails)
R2_ACCESS_KEY_ID No Cloudflare R2 access key
R2_SECRET_ACCESS_KEY No Cloudflare R2 secret key
R2_BUCKET_NAME No R2 bucket name
R2_ENDPOINT No R2 endpoint URL
PORT No 4000 API server port
NODE_ENV No development Environment (development/production)
ALLOWED_ORIGINS No * CORS allowed origins (comma-separated)

apps/web/.env.local

Variable Required Default Description
NEXT_PUBLIC_API_URL Yes Backend API URL
NEXT_PUBLIC_APP_ENV No development Environment name

Testing Locally

Unit Tests

npm run test:unit

Integration Tests

Requires test database:

# Create test database
createdb bilko_test

# Run tests
npm run test:integration

E2E Tests

Requires both frontend and backend running:

# Terminal 1: Start dev servers
npm run dev

# Terminal 2: Run E2E tests
npm run test:e2e

Next Steps

After setting up your environment:

  1. Read the docs:

  2. Create your first feature:

    • Pick a task from the backlog
    • Create feature branch: git checkout -b feature/your-feature
    • Make changes, test locally
    • Submit PR

  3. Join the team:

    • Slack: #bilko-dev
    • Weekly sync: Fridays 10:00 CET
    • Documentation: Bilko Wiki

Last Updated: 2026-02-20 Status: CURRENT — Reflects actual setup as of this date Maintainer: John (AI Director)

Infrastructure & DevOps

Bilko Stage Environment — Cloud SQL & IAM (Phase 1)

Summary

MC #10177 Phase 1 (FlowForge, 2026-04-29): bilko-staging-db Cloud SQL instance brought under Flyway management. Pre-existing instance (2026-04-15, Prisma-managed). V1+V2+V4+V5 baselined, V3 actually executed. IAM SA created. Phase 2 (Cloud Run) pending.

Instance Details

FieldValue
Instance namebilko-staging-db
Connection nametribal-sign-487920-k0:europe-north1:bilko-staging-db
IP35.228.33.112
Tierdb-g1-small
VersionPOSTGRES_16
StateRUNNABLE (pre-existing since 2026-04-15; reused)
Databasebilko
App userbilko
Migration adminmigration_admin
Secretbilko-staging-db-password (Secret Manager, 2026-04-15)
IAM SAbilko-api-stage-sa@tribal-sign-487920-k0.iam.gserviceaccount.com
IAM SA rolesroles/cloudsql.client + roles/secretmanager.secretAccessor
Total tables24 (public schema)

Flyway State (2026-04-29)

VersionScriptStatus
V1V1__initial_schema.sqlBaselined (DDL existed via Prisma)
V2V2__add_missing_prisma_columns.sqlBaselined (DDL existed via Prisma)
V3V3__add_jmbg_oib_encryption.sqlEXECUTED LIVE — jmbg/jmbg_hash/oib/oib_hash + 2 indexes added to contacts (ADR-014)
V4V4__add_supplementary_tables.sqlBaselined (DDL existed via Prisma)
V5V5__add_logo_url_to_organizations.sqlBaselined (DDL existed via Prisma)

Open Risks

Phase Status

References

Infrastructure & DevOps

Bilko Stage Environment — Cloud Run Services (Phase 2)

Overview

MC: #10177 Phase 2  |  Deployed: 2026-04-30  |  Git SHA: 1f48fdc  |  Status: LIVE, healthy

GCP Project: tribal-sign-487920-k0  |  Region: europe-north1

WARNING — TD-3 PROD CUTOVER BLOCKER (MC #10241): bilko-staging-db uses public IP (0.0.0.0/0 authorized network, requireSsl=false). Acceptable for stage only. MUST NOT be replicated to production. Production deploy is blocked until Cloud SQL private IP + VPC connector is configured.

Live Services

ServiceURLImageMin/MaxMemoryStatus
bilko-api-stagebilko-api-stagebilko/api:stage-1f48fdc0/2512Mi, CPU 1LIVE
bilko-web-stagebilko-web-stagebilko/web:stage-1f48fdc0/2512Mi, CPU 1LIVE

Full Artifact Registry prefix: europe-north1-docker.pkg.dev/tribal-sign-487920-k0/

bilko-api-stage Detail

FieldValue
DockerfileDockerfile.api-kotlin (Kotlin/Ktor, port 4001)
JAVA_OPTSHikariCP connection pool tuned
Cloud SQLtribal-sign-487920-k0:europe-north1:bilko-staging-db via direct TCP 35.228.33.112:5432 (TD-2 + TD-3)
Secretsbilko-staging-db-password, bilko-jwt-secret, bilko-jwt-refresh-secret, bilko-staging-field-encryption-key (NEW, ADR-014), bilko-staging-field-hmac-key (NEW, ADR-014)
SAbilko-api-stage-sa@tribal-sign-487920-k0.iam.gserviceaccount.com
SA rolescloudsql.client, secretmanager.secretAccessor
SmokeGET /api/v1/health → 200 {"status":"ok","service":"bilko-api","version":"1.0.0"}
Revisionbilko-api-stage-00001-5x8 (100% traffic)

bilko-web-stage Detail

FieldValue
Dockerfileapps/web/Dockerfile (Next.js 15)
NEXT_PUBLIC_API_URLhttps://bilko-api-stage-dh4m46blja-lz.a.run.app/api/v1
NEXT_PUBLIC_APP_ENVstage
SmokeGET / → 200 (HTML, lang=sr-Latn)
Revisionbilko-web-stage-00001-c45 (100% traffic)
Build noteFresh npm install (no lockfile) — workaround TD-1 MC #10239

Smoke Test Commands

# API health (expected: {"status":"ok","service":"bilko-api","version":"1.0.0"})
curl -s https://bilko-api-stage-dh4m46blja-lz.a.run.app/api/v1/health

# Web root (expected: HTTP 200)
curl -s -o /dev/null -w "HTTP %{http_code}" https://bilko-web-stage-dh4m46blja-lz.a.run.app

Stage Rollback

# List revisions
gcloud run revisions list --service bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1

# Route to prior revision
gcloud run services update-traffic bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1 --to-revisions=REVISION_NAME=100

Stage Redeploy (image update only)

gcloud run services update bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1 --image=europe-north1-docker.pkg.dev/tribal-sign-487920-k0/bilko/api:NEW_TAG
gcloud run services update bilko-web-stage --project=tribal-sign-487920-k0 --region=europe-north1 --image=europe-north1-docker.pkg.dev/tribal-sign-487920-k0/bilko/web:NEW_TAG

Phase 2 Tech Debt Tracker

IDMCDescriptionSeverityBlocks
TD-1#10239package-lock.json macOS arm64 missing linux-x64 native bins — fresh npm install workaroundMediumClean stage re-deploys
TD-2#10240postgres-socket-factory not in build.gradle.kts — Kotlin API uses direct TCP public IPMediumSecure DB connectivity
TD-3#10241bilko-staging-db: 0.0.0.0/0 + requireSsl=false — STAGE ONLY, NEVER replicate to prodBLOCKERPROD CUTOVER Phase 5

Key Learnings

  1. Lockfile drift macOS/linux: fresh npm install required per build until TD-1 fixed
  2. Kotlin Cloud SQL TCP via public IP works for stage, NOT prod (TD-2 + TD-3)
  3. --no-traffic flag invalid on new service creation — route 100% on first deploy
  4. Field encryption/HMAC keys are random per env (stage isolated from prod — ADR-014)
  5. HikariCP socketPath URL param silently ignored — always use explicit host:port for direct TCP

References

Infrastructure & DevOps

Bilko demo — receipt upload/download fix (GCS shared storage) — MC #103095 (2026-06-07)

1. Symptom

CEO reported that receipt upload (PNG, PDF, JPG) was not working — a central part of the app. Investigation showed upload itself succeeded (HTTP 201) but viewing/downloading the receipt returned intermittent HTTP 404 approximately 60% of the time. From the user seat, intermittent 404 on download reads as a broken upload. The UI button "Priloženi dokumenti" -> "Preuzmi" triggered the failing request.

2. Root Cause

The demo API had no shared object storage configured. It used BILKO_LOCAL_UPLOAD_DIR=/tmp/bilko-uploads — per-instance ephemeral local disk, routed through ReceiptService.kt persistLocalIfEnabled, storing files as local:// URLs.

Cloud Run (bilko-api-demo) runs up to 5 instances with concurrency=1 (set during the earlier MC #103057 hang mitigation). An upload landing on instance A wrote the file to that instance's /tmp; a subsequent download request routed to instance B, which had no copy of the file, returning 404. Files were also permanently lost on any instance restart or recycle.

A secondary symptom was occasional 15-second frontend timeouts on the expense detail page: the several parallel API calls the page makes on load were serialised by concurrency=1.

Contributing config drift: the active deploy step in infrastructure/gcp/cloudbuild.yaml (deploy-api-demo) used --set-env-vars which replaces the entire env set, making a separate cloudbuild-demo-api.yaml with BILKO_LOCAL_UPLOAD_DIR ineffective.

3. Fix

Applied by FlowForge (Kelsey Hightower). No application code changes were required — ReceiptService.kt is unchanged and uses a transparent filesystem abstraction.

ChangeDetail
GCS bucket provisionedgs://bilko-receipts-demo, region europe-north1, uniform bucket-level access, IAM: bilko-api-stage-sa = roles/storage.objectAdmin
Cloud Run exec environmentUpgraded to gen2 (required for gcsfuse volume mounts)
Volume mount added--add-volume=name=receipts,type=cloud-storage,bucket=bilko-receipts-demo
Mount path--add-volume-mount=volume=receipts,mount-path=/mnt/bilko-uploads
Env var updatedBILKO_LOCAL_UPLOAD_DIR: /tmp/bilko-uploads -> /mnt/bilko-uploads
Config persistedAll changes committed to infrastructure/gcp/cloudbuild.yaml (deploy-api-demo step)

Deployed: tag v0.2.30, commit 642bbc0cefdc63777d8c12d61aa61a8257716290, revision bilko-api-demo-00135-rmv, 100% traffic on new revision. Cloud Build ID: 793f929b-f41a-49e9-afa9-65b54d3972ff.

Note: Cloud Build reported FAILURE due to a pre-existing flaky test timeout in coverage artifact upload (expenses-ux-102887). This is unrelated to the GCS change. All 8 deploy gates (lint, typecheck, unit, coverage, trivy, gitleaks, semgrep, npm-audit) PASSED; build, push, trivy, migrate, deploy, promote, smoke-test, and verify-sha steps all succeeded.

4. Validation

Validated by Proveo (Angie Jones) — GLOBAL VERDICT: PASS.

TestResult
PDF upload + 10x download10/10 HTTP 200 (was intermittent 404)
PNG upload + 10x download10/10 HTTP 200
JPEG upload + 10x download10/10 HTTP 200
GCS persistence (15 total calls)15/15 HTTP 200 — confirmed shared across instances
UI: Priloženi dokumenti sectionVisible; download icon -> /content HTTP 200
Health checkhttps://bilko-demo-api.alai.no/api/v1/health -> 200 {"status":"ok"}

Company Mesh: mesh-thr-03f166bb-f001-4293-b9ec-db245e5790b3 — PASS.

Open item (non-blocker): 1 pre-fix orphan document (uploaded 07:58 before GCS deploy at 08:30) returns 404 as expected — the file lived in ephemeral /tmp on a recycled instance. Not a regression.

5. Known Follow-Up Tasks

MCDescription
#103102Graceful 404 handling for missing documents in UI; fix misleading BILKO-INV-001 error code returned on expense document content misses
#103103Flaky coverage test (expenses-ux-102887 dialog upload test) blocking clean Cloud Build artifact upload — unrelated to this fix
#103104Invoice-receipt download gap: POST /invoices/{id}/receipts returns 201 but no download endpoint exists and receiptUrl stays null in invoice record

6. Operational Notes — Demo Deploy Pipeline

Infrastructure & DevOps

Bilko Azure Observability + MS for Startups Credit Setup (2026-06-15)

Purpose

Cross $100/month in foundational Azure spend to automatically unlock the Microsoft for Startups $25K credit tier. The model is usage-triggered, not referral-gated: once cumulative Azure spend reaches the threshold, the Founders Hub dashboard upgrades the credit allocation automatically. This work establishes the baseline infrastructure telemetry and security services that generate billable spend from day one.

What Was Done (MC #103599, 2026-06-15)

Application Insights Wiring

Container App Revisions (state at time of work)

ServiceActive RevisionStatusTrafficHTTP Check
bilko-api-demo bilko-api-demo--0000003 Running / Healthy 100% HTTP 404 on root (Ktor baseline — app live, no root handler)
bilko-web-demo bilko-web-demo--0000002 Running / Healthy 100% HTTP 200 (Next.js)

Note (Proveo-corrected): bilko-web-demo--0000001 carries 0% traffic; a second deploy superseded it. Do not confuse with the active revision when diagnosing issues.

Microsoft Defender for Containers

Spend Mechanics

Verification

Independently verified by Proveo (Angie Jones). Verdict: PARTIAL — only a revision-name reporting discrepancy found (--0000001 vs --0000002 for bilko-web-demo), no functional defect.

Telemetry Status

Wired and operational. First metrics pending ingestion delay of approximately 10–15 minutes from fresh deploy (normal behaviour for App Insights cold start).

Open Items (flagged, out of scope for MC #103599)

How to Verify

# Confirm App Insights resource is healthy
az monitor app-insights component show --app appi-bilko -g rg-bilko-demo

# Check Defender pricing tier
az security pricing show --name Containers

# Check Container App active revision
az containerapp revision list -n bilko-api-demo -g rg-bilko-demo --query "[].{name:name,traffic:properties.trafficWeight,state:properties.runningState}"

# Monitor spend trajectory toward $100/month threshold
# Azure Portal: Cost Management > bilko subscription > cost analysis

Watch the Microsoft Founders Hub dashboard for automatic $25K credit tier upgrade once monthly spend crosses $100.

References

Infrastructure & DevOps

Bilko ACA Telemetry & Observability Wiring (Azure)

Context

GCP Cloud Monitoring dashboard (070613fa) was decommissioned 2026-06-23 after migration to Azure (MC #104228 closed). This page documents the ACA→Log Analytics + App Insights telemetry wiring done as follow-on MC #104266.

Resources

Root cause that was fixed

ACA env appLogsConfiguration.destination was not effectively set → ContainerApp logs not reaching the workspace. Fixed via:

az containerapp env update -n bilko-demo-env -g rg-bilko-demo --logs-destination log-analytics --logs-workspace-id 71443731-... --logs-workspace-key <key>

Result: ContainerAppSystemLogs_CL now flows (tool-verified 54 rows/15m, sustained).

App Insights instrumentation

Each ACA app needs env var APPLICATIONINSIGHTS_CONNECTION_STRING (from az monitor app-insights component show -g rg-bilko-demo -n appi-bilko --query connectionString -o tsv), set via az containerapp update -n <app> -g rg-bilko-demo --set-env-vars APPLICATIONINSIGHTS_CONNECTION_STRING=<value>. All 4 apps confirmed set.

KNOWN REMAINING GAP (important for runbook)

Setting the env var ALONE does not produce App Insights request/dependency telemetry — requests table = 0. The app code must initialize the App Insights SDK (Node: applicationinsights package; Spring Boot: azure-monitor starter). Until then, App-Insights-request-based workbook panels stay empty. The KQL log panel (ContainerAppSystemLogs_CL) and ACA platform-metric panels work regardless. Track app-code SDK init as a separate CodeCraft task if request tracing is needed.

Troubleshooting note

az monitor log-analytics query returns a FLAT array [{col:val}] — do NOT filter with --query "tables[0].rows" (returns empty falsely). az monitor app-insights query uses {tables:[{rows}]} shape.

Verification queries (runbook)

Infrastructure & DevOps

MC #104332 — Bilko URA LocalDate ISO deploy evidence

MC #104332 / URA3 LocalDate + UI polish deploy evidence (2026-06-25)

What changed

Validation evidence

Demo deployment

Name Image Latest Ready Running Traffic

bilko-api-demo bilkodemo.azurecr.io/bilko-api:demo-104332ura3 bilko-api-demo--ura3-api bilko-api-demo--ura3-api Running 100 bilko-web-demo bilkodemo.azurecr.io/bilko-web:demo-104332ura3 bilko-web-demo--ura3-web bilko-web-demo--ura3-web Running 100

Health probes:

Live UAT evidence

Azure DevOps merge evidence

Status

Local evidence directory: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/evidence/104332

Regulatory

Regulatory

Serbia — Regulatory Summary

Serbia (RS) Regulatory Requirements

Overview

VAT (PDV - Porez na dodatu vrednost)

Rate Type Rate Description
Standard 20% General goods and services (opšta stopa)
Reduced 10% Food, medicines, utilities (snižena stopa)
Zero 0% Exports, international transport

Registration Threshold: 8M RSD annual turnover Return Frequency: Monthly (>50M RSD) or Quarterly (<50M RSD) Filing Deadline: 15th of following month Portal: ePorezi

Corporate Income Tax (CIT - Porez na dobit)

Withholding Tax (WHT)

Type Rate
Dividends 20%
Interest 20%
Royalties 20%

Small Business Regime (Pausal)

E-Invoice (SEF - Sistem e-Faktura)

Platform: https://efaktura.gov.rs Status: Operational Mandatory Since:

Format: UBL 2.1 XML API: Available for integration (API docs)

Penalties: 50,000 - 2,000,000 RSD for non-compliance

Coming: eOtpremnica (e-waybill) expected 2026/2027

Fiscal Devices (B2C)

Required for: Cash sales (retail, restaurants, etc.) Systems:

Chart of Accounts (Kontni okvir)

Regulation: Pravilnik o kontnom okviru (2021) Structure: 10-class system (0-9)

Accounts: 3-digit base accounts (standardized), 4-5 digit analytical accounts (company-specific)

Financial Statement Filing

Institution: APR (Agencija za privredne registre) URL: https://www.apr.gov.rs Deadline: June 30 Required Statements:

Document Retention: 10 years

Bank Integration

Format: ISO 20022 (CAMT.053 for statements, pain.001 for payments) Instant Payments: IPS Serbia (1-second settlement) SEPA: Full member since May 2025

Accounting Standards

Mandatory: IFRS (International Financial Reporting Standards) for large entities and PIEs (Public Interest Entities) Optional: IFRS for SMEs for smaller entities Fallback: Serbian accounting regulations for micro entities

Key Dates

Event Deadline
VAT return 15th of following month
CIT advance payment Quarterly
CIT annual return June 30
Financial statements filing June 30

Implementation Notes

Regulatory

Bosnia — Regulatory Summary

Bosnia & Herzegovina (BA) Regulatory Requirements

Overview

COMPLEXITY: BiH has two entities:

VAT is unified at state level. Direct taxes (CIT, WHT) are separate per entity.

VAT (PDV - Porez na dodanu vrijednost)

Rate Type Rate Description
Standard 17% General goods and services (opća stopa)
Zero 0% Exports

No reduced rates

Registration Threshold: 100,000 BAM annual turnover Return Frequency: Monthly Filing Deadline: TBD (check UIO portal) Portal: UIO (Indirect Taxation Authority)

Corporate Income Tax (CIT - Porez na dobit)

Withholding Tax (WHT)

Type FBiH RS
Dividends 5% 10%
Interest 10% 10%
Royalties 10% 10%

IMPORTANT: Dividend WHT differs by entity!

Small Business Regime

E-Invoice (CPF - Central Platform for Fiscalisation)

Status: PENDING (expected ~2027) Law Adopted: January 2026 (FBiH only) Technical Specs: NOT YET PUBLISHED

Planned Coverage:

RS Entity: Separate regulations, no mandate yet

Implementation Note: Monitor for technical specifications publication. Do NOT implement until specs available.

Fiscal Devices (B2C)

Required for: Cash sales System: ESET (Electronic System of Tax Registers)

Chart of Accounts (Kontni okvir)

Regulation: FBiH Pravilnik (2022) Structure: 10-class system (0-9)

Note: RS may have slight variations - need verification

Accounts: 3-digit base accounts, 4-5 digit analytical accounts

Financial Statement Filing

Institution:

Deadline: March 31 Required Statements:

Document Retention:

Bank Integration

Format: ISO 20022 (aligned, not full SEPA) Payment System: Gyro Clearing + RTGS Instant Payments: Not available

Accounting Standards

Adopted: IFRS (International Financial Reporting Standards) by both entities Optional: IFRS for SMEs

Key Dates

Event Deadline
VAT return Monthly (check UIO)
CIT annual return March 31
Financial statements filing March 31

Implementation Notes

Unknowns & Risks

  1. CPF technical specs - Not published, expected ~2027
  2. RS e-invoice mandate - No timeline yet
  3. Specific account numbers - Need actual Pravilnik documents
  4. RS chart of accounts - May differ from FBiH, needs verification

Recommendation: Launch BiH THIRD (after Serbia and Croatia) to allow time for regulatory clarity.

Regulatory

Croatia — Regulatory Summary

Croatia (HR) Regulatory Requirements

Overview

VAT (PDV - Porez na dodanu vrijednost)

Rate Type Rate Description
Standard 25% General goods and services (opća stopa)
Intermediate 13% Certain foods, water supply, accommodation (srednja stopa)
Reduced 5% Books, newspapers, baby food (snižena stopa)
Zero 0% Exports, intra-EU supply

Registration Threshold: 60,000 EUR annual turnover Return Frequency: Monthly Filing Deadline: Last day of following month Portal: ePorezna

Corporate Income Tax (CIT - Porez na dobit)

Withholding Tax (WHT)

Type Rate
Dividends 10%
Interest 12%
Royalties 15%

Small Business Regime (Pausalni obrt)

E-Invoice (HR-FISK 2.0 / eRacun)

Platform: https://hr-fisk.fina.hr Status: Operational (launched January 2026) Mandatory Since: January 1, 2026 (B2B/B2G/B2C)

Format: UBL 2.1 XML with HR-CIUS (Croatian Implementation User Specification) Protocol: AS4 Network: Peppol-compatible Certificate: FINA certificate required

API: Available (HR-FISK docs)

Penalties: Up to 500,000 EUR for non-compliance (SEVERE)

Archive Requirement: 11 years

Fiscal Devices (B2C)

Required for: Cash sales (retail, restaurants, etc.) System: Fiskalizacija 1.0 (legacy) + Fiskalizacija 2.0 (launched 2026 alongside HR-FISK)

Chart of Accounts (Kontni plan)

Standard: RRiF (most widely used) Structure: 10-class system (0-9)

Accounts: 3-digit base accounts, 4-5 digit analytical accounts

Financial Statement Filing

Institution: FINA (Financijska agencija) URL: https://www.fina.hr Format: RGFI (Registar godišnjih financijskih izvještaja) Deadline: April 30 Required Statements:

Document Retention: 11 years

Bank Integration

Format: ISO 20022 (CAMT.053, pain.001) Instant Payments: SEPA Instant (full support) SEPA: Full member

Accounting Standards

Mandatory for PIEs: IFRS (International Financial Reporting Standards) For SMEs: Croatian Financial Reporting Standards (CFRS) based on IFRS for SMEs Micro entities: Simplified CFRS

Key Dates

Event Deadline
VAT return Last day of following month
CIT annual return April 30
Financial statements filing April 30

Implementation Notes

Regulatory

Multi-Region Overview

Multi-Region Accounting Standards Overview

Source: Research report /Users/makinja/system/reports/research-bilko-multi-region-2026-02-20.md

Key Architectural Insight: Shared Core + Country Plugins

What's SHARED (build once)

Component Standard Notes
Chart of Accounts structure 10 classes (0-9), decimal Same across all 3 countries
Accounting standards IFRS / IFRS for SMEs Adopted by all 3
Bookkeeping Double-entry Mandatory everywhere
Payment formats ISO 20022 (pain.001, camt.053) All 3 converging
E-invoice format UBL 2.1 XML (EN 16931) Standard across all 3
Data protection GDPR-aligned All 3 converging
Digital signatures eIDAS-aligned (QES/AES/SES) All 3 support
Software certification None required No barriers to entry
Data residency No in-country mandate Cloud hosting OK
User licensing No professional license needed Anyone can use

What's PER-COUNTRY (plugin architecture)

Component Serbia Croatia BiH
Currency RSD EUR BAM
VAT standard rate 20% 25% 17%
VAT reduced rates 10% 13%, 5% None
VAT registration threshold 8M RSD 60K EUR 100K BAM
VAT return frequency Monthly/Quarterly Monthly Monthly
VAT filing deadline 15th of next month Last day of next month TBD
Corporate income tax 15% 18% (10% if <1M EUR) 10%
CIT filing deadline June 30 April 30 March 31
WHT dividends 20% 10% FBiH 5%, RS 10%
E-invoice platform SEF (efaktura.gov.rs) eRacun/HR-FISK (FINA) CPF (pending)
E-invoice status Mandatory since 2023 Mandatory Jan 2026 Likely 2027
Fiscal devices (B2C) LPFR + ESIR Fiskalizacija 1.0 + 2.0 ESET
Chart of Accounts template Pravilnik (2021) RRiF standard FBiH Pravilnik (2022)
Filing institution APR FINA Agency of Financial Info
Document retention 10 years 11 years 10-11 years
Payment system IPS + SEPA (2026) SEPA (full) Gyro Clearing + RTGS
Open Banking PSD2 aligned (Jan 2026) PSD2 (full) Not adopted
Tax portal ePorezi ePorezna UIO (VAT), entity portals (CIT)
Small biz regime Pausal (<6M RSD) Pausalni obrt (<60K EUR) No specific regime

Launch Order

  1. Serbia FIRST - SEF operational, largest opportunity, e-invoicing driving adoption NOW
  2. Croatia SECOND - HR-FISK launching Jan 2026, EU compliance adds credibility
  3. BiH THIRD - Wait for CPF specs (2027), build locale/tax early

Competitive Strategy

Country-Specific Details

See:

Regulatory

Chart of Accounts (All Countries)

Unified Chart of Accounts Reference

Last Updated: 2026-02-20 Purpose: Cross-country comparison and implementation guide for Bilko's Chart of Accounts

Overview

All three target markets (Serbia, Bosnia & Herzegovina, Croatia) use a class-based Chart of Accounts structure inherited from the former Yugoslav accounting system. Despite political separation, the accounting frameworks remain structurally similar with 10 main classes (0-9).

graph TD
    subgraph BALKAN["Balkan Chart of Accounts — Universal Classes 0-9"]
        direction LR
        CL0["Class 0<br/>Stalna imovina<br/>Long-term Assets<br/>DEBIT normal"]
        CL1["Class 1<br/>Obrtna imovina<br/>Current Assets<br/>DEBIT normal"]
        CL2["Class 2<br/>Kratkoročne obaveze<br/>Short-term Liabilities<br/>CREDIT normal"]
        CL3["Class 3<br/>Kapital<br/>Equity<br/>CREDIT normal"]
        CL4["Class 4<br/>Dugoročne obaveze<br/>Long-term Liabilities<br/>CREDIT normal"]
        CL5["Class 5<br/>Rashodi<br/>Expenses<br/>DEBIT normal"]
        CL6["Class 6<br/>Prihodi<br/>Revenue<br/>CREDIT normal"]
        CL7["Class 7<br/>RS/BA: Troškovi (Costs)<br/>HR: Dobici i Gubici (Gains/Losses)<br/>MIXED"]
        CL8["Class 8<br/>Vanbilansna evidencija<br/>Off-Balance Sheet<br/>DEBIT memorandum"]
        CL9["Class 9<br/>Interna računovodstva<br/>Internal Accounting<br/>MIXED — enterprise only"]
    end

    BS["Balance Sheet"] --> CL0
    BS --> CL1
    BS --> CL2
    BS --> CL3
    BS --> CL4
    PL["P&L Statement"] --> CL5
    PL --> CL6
    PL --> CL7

    style CL0 fill:#198754,color:#fff
    style CL1 fill:#198754,color:#fff
    style CL2 fill:#dc3545,color:#fff
    style CL3 fill:#6f42c1,color:#fff
    style CL4 fill:#dc3545,color:#fff
    style CL5 fill:#fd7e14,color:#fff
    style CL6 fill:#0d6efd,color:#fff
    style CL7 fill:#6c757d,color:#fff
    style CL8 fill:#adb5bd,color:#fff
    style CL9 fill:#adb5bd,color:#fff
    style BS fill:#0d6efd,color:#fff
    style PL fill:#198754,color:#fff

Universal Structure (Classes 0-9)

Class 0: Long-term Assets (Stalna imovina / Dugotrajna imovina)

Normal Balance: Debit Examples:

Bilko AccountType: asset (debit normal balance)

Class 1: Current Assets (Obrtna imovina / Kratkotrajna imovina)

Normal Balance: Debit Examples:

Bilko AccountType: asset (debit normal balance)

Class 2: Short-term Liabilities (Kratkoročne obaveze)

Normal Balance: Credit Examples:

Bilko AccountType: liability (credit normal balance)

Class 3: Capital and Equity (Kapital / Glavni kapital)

Normal Balance: Credit Examples:

Bilko AccountType: equity (credit normal balance)

Class 4: Long-term Liabilities (Dugoročne obaveze)

Normal Balance: Credit Examples:

Bilko AccountType: liability (credit normal balance)

Class 5: Expenses (Rashodi / Troškovi poslovanja)

Normal Balance: Debit Examples:

Bilko AccountType: expense (debit normal balance)

Class 6: Revenue (Prihodi)

Normal Balance: Credit Examples:

Bilko AccountType: revenue (credit normal balance)

Class 7: Cost / Gains and Losses (Troškovi / Dobici i gubici)

Normal Balance: Mixed (varies by country)

NOTE: This class has different usage across the three countries:

Serbia & BiH: Costs (Troškovi)

Croatia: Gains and Losses (Dobici i gubici)

Bilko Implementation:

Class 8: Off-Balance Sheet Items (Vanbilansna evidencija)

Normal Balance: Debit (memorandum accounts) Examples:

Bilko AccountType: asset (debit memorandum) Note: These accounts do NOT affect the balance sheet totals — they are for tracking only.

Class 9: Internal Accounting (Interna računovodstva)

Normal Balance: Mixed (company-specific) Examples:

Bilko AccountType: Mixed — depends on company's internal structure Usage: Primarily for large multi-division companies. NOT needed for SMB MVP.

Account Numbering Hierarchy

graph TD
    CL["1 — Current Assets (Class)"]
    GRP["12 — Short-term Receivables (Group)"]
    ACC1["120 — Trade Receivables Domestic (Account)"]
    ACC2["121 — Trade Receivables Foreign (Account)"]
    SA1["1200 — Trade Rec. — EU (Sub-account)"]
    SA2["1201 — Trade Rec. — Non-EU (Sub-account)"]
    SA3["1210 — Foreign Rec. — EU (Sub-account)"]
    SA4["1211 — Foreign Rec. — Non-EU (Sub-account)"]

    CL --> GRP
    GRP --> ACC1
    GRP --> ACC2
    ACC1 --> SA1
    ACC1 --> SA2
    ACC2 --> SA3
    ACC2 --> SA4

    MVP["MVP Scope<br/>2-3 digit codes<br/>covers 95% of SMBs"]
    PH2["Phase 2<br/>4+ digit analytical accounts<br/>enterprise clients"]

    ACC1 -.->|"MVP"| MVP
    SA1 -.->|"Phase 2"| PH2

    style CL fill:#0d6efd,color:#fff
    style GRP fill:#0d6efd,color:#fff,stroke-dasharray: 5 5
    style ACC1 fill:#198754,color:#fff
    style ACC2 fill:#198754,color:#fff
    style SA1 fill:#6c757d,color:#fff
    style SA2 fill:#6c757d,color:#fff
    style SA3 fill:#6c757d,color:#fff
    style SA4 fill:#6c757d,color:#fff
    style MVP fill:#ffc107,stroke:#e0a800
    style PH2 fill:#adb5bd,color:#fff

Country-Specific Differences

Serbia

Bosnia & Herzegovina

Croatia

Country Divergence — Class 7

graph LR
    CL7["Class 7"]

    CL7 --> RS7["Serbia RS<br/>Troškovi (Costs)<br/>70: Cost of goods sold<br/>71: Cost of services sold<br/>72: Production costs<br/>AccountType: expense"]

    CL7 --> BA7["Bosnia BA<br/>Troškovi (Costs)<br/>70: Cost of goods sold<br/>71: Cost of services sold<br/>72: Production costs<br/>AccountType: expense"]

    CL7 --> HR7["Croatia HR<br/>Dobici i gubici<br/>(Gains and Losses)<br/>70: Extraordinary gains<br/>71: Extraordinary losses<br/>72: Prior period adjustments<br/>AccountType: revenue/expense mixed"]

    RS7 --> SAME["Serbia + BiH<br/>Identical Class 7 treatment<br/>Cost accounting focus"]
    BA7 --> SAME

    HR7 --> DIFF["Croatia differs<br/>Non-operating items only<br/>Bilko: type depends on sub-account"]

    style CL7 fill:#6c757d,color:#fff
    style RS7 fill:#c0392b,color:#fff
    style BA7 fill:#2c3e50,color:#fff
    style HR7 fill:#e74c3c,color:#fff
    style SAME fill:#198754,color:#fff
    style DIFF fill:#ffc107,stroke:#e0a800

MVP Implementation for Bilko

Minimum Chart of Accounts for SMBs

A basic SMB in any of the three markets needs at minimum 30-40 accounts to operate legally:

Assets (Classes 0-1)

Liabilities (Classes 2, 4)

Equity (Class 3)

Revenue (Class 6)

Expenses (Class 5)

Total: ~40 accounts (covers 90% of SMB transactions)

Seed Data Strategy

Approach: Country-Specific Presets

Bilko should ship with 3 predefined Chart of Accounts templates:

  1. Serbia — SMB Standard (Serbian language, Classes 0-6 + 8)
  2. BiH — FBiH SMB Standard (Bosnian language, IFRS-aligned, Classes 0-6 + 8)
  3. BiH — RS SMB Standard (Serbian language, IFRS-aligned, Classes 0-6 + 8)
  4. Croatia — SMB Standard (Croatian language, RRiF-based, Classes 0-6 + 7-gains/losses + 8)

Installation Process

On Company Setup:

  1. User selects country: Serbia / BiH-FBiH / BiH-RS / Croatia
  2. Bilko seeds database with relevant Chart of Accounts preset
  3. User can:
    • Accept preset as-is (recommended for new businesses)
    • Customize (add/edit/hide accounts)
    • Import existing chart (for migrating companies)

Database Schema

-- Chart of Accounts Table
CREATE TABLE chart_of_accounts (
  id INTEGER PRIMARY KEY,
  company_id INTEGER NOT NULL,
  code TEXT NOT NULL,           -- e.g., "120", "600"
  name TEXT NOT NULL,            -- e.g., "Potraživanja od kupaca", "Prihodi od prodaje"
  name_en TEXT,                  -- English translation (optional)
  account_type TEXT NOT NULL,    -- 'asset', 'liability', 'equity', 'revenue', 'expense'
  class INTEGER NOT NULL,        -- 0-9
  parent_code TEXT,              -- for hierarchical charts (e.g., "12" parent of "120")
  country TEXT NOT NULL,         -- 'RS' (Serbia), 'BA-FBiH', 'BA-RS', 'HR' (Croatia)
  is_system BOOLEAN DEFAULT 1,  -- system preset vs user-created
  is_active BOOLEAN DEFAULT 1,  -- allow hiding unused accounts
  FOREIGN KEY (company_id) REFERENCES companies(id),
  UNIQUE (company_id, code)
);

-- Example Seed Data (Serbia)
INSERT INTO chart_of_accounts (company_id, code, name, account_type, class, country) VALUES
  (1, '120', 'Potraživanja od kupaca', 'asset', 1, 'RS'),
  (1, '140', 'Novac u banci', 'asset', 1, 'RS'),
  (1, '210', 'Obaveze prema dobavljačima', 'liability', 2, 'RS'),
  (1, '240', 'PDV za uplatu', 'liability', 2, 'RS'),
  (1, '300', 'Osnovni kapital', 'equity', 3, 'RS'),
  (1, '600', 'Prihodi od prodaje robe', 'revenue', 6, 'RS'),
  (1, '510', 'Troškovi zarada', 'expense', 5, 'RS');

Multi-Country Handling

Scenario: Company operates in multiple countries

Example: Serbian company (HQ) with BiH branch and Croatian client invoicing

Approach:

  1. Primary Chart: Serbia (company HQ location)
  2. Secondary Charts: BiH and Croatia (linked, not duplicated)
  3. Mapping Table: Maps Serbian account codes to BiH/Croatia equivalents
CREATE TABLE account_mapping (
  id INTEGER PRIMARY KEY,
  company_id INTEGER NOT NULL,
  source_code TEXT NOT NULL,      -- e.g., "120" (Serbia)
  source_country TEXT NOT NULL,   -- 'RS'
  target_code TEXT NOT NULL,      -- e.g., "120" (BiH)
  target_country TEXT NOT NULL,   -- 'BA-FBiH'
  FOREIGN KEY (company_id) REFERENCES companies(id)
);

Usage:

IFRS Alignment (BiH Requirement)

Challenge

BiH legally requires IFRS Accounting Standards, but traditional Chart of Accounts is NOT IFRS.

Solution: Hybrid Approach

  1. Internal Recording: Use traditional Chart of Accounts (Classes 0-9)

    • This is what accountants know
    • Compatible with neighboring Serbia and Croatia
    • Easy for SMBs to understand

  2. Financial Statements: Generate IFRS-compliant reports via mapping

    • Map Class 0-1 → IFRS Statement of Financial Position (Assets)
    • Map Class 2-4 → IFRS Statement of Financial Position (Liabilities)
    • Map Class 3 → IFRS Statement of Financial Position (Equity)
    • Map Class 5-6 → IFRS Statement of Comprehensive Income

  3. IFRS Disclosure Notes: Auto-generate based on account types

    • Property, Plant & Equipment (Class 02)
    • Inventories (Class 10-12)
    • Trade Receivables (Class 13)
    • etc.

Benefit: SMBs can use familiar Chart of Accounts, but produce IFRS-compliant financial statements when needed (e.g., for bank loans, audits).

Account Numbering Schemes

Standard Practice (All Three Countries)

Example Hierarchy:

1   — Current Assets (Class)
 12  — Short-term Receivables (Group)
  120 — Trade Receivables - Domestic (Account)
  121 — Trade Receivables - Foreign (Account)
   1210 — Trade Receivables - EU (Sub-account)
   1211 — Trade Receivables - Non-EU (Sub-account)

Bilko Recommendation

Implementation Checklist for Bilko

Phase 1 (MVP)

Phase 2

Phase 3

Sources

Regulatory

Serbia — SEF e-Invoicing

Serbia — Sistem Elektronskih Faktura (SEF)

Last Updated: 2026-02-20 Confidence Level: HIGH (verified from official sources and regulatory updates)

Overview

Serbia operates a mandatory electronic invoicing system called SEF (Sistem Elektronskih Faktura) for all VAT-liable companies. The system requires all invoices to be transmitted through a central government platform in structured XML format.

1. VAT/PDV Rate and Rules [HIGH]

Standard and Reduced Rates

Filing Frequency [HIGH]

Tax Authority

Serbia PDV Rate Structure

graph TD
    PDV["PDV (VAT) — Srbija"]

    PDV --> STD["Standardna stopa<br/>20%<br/>Opšte dobavljanje<br/>Većina usluga"]
    PDV --> RED["Smanjena stopa<br/>10%<br/>Osnovna hrana<br/>Lijekovi<br/>Novine<br/>Komunalije<br/>Javni prevoz"]
    PDV --> ZERO["Nulta stopa<br/>0%<br/>Izvoz robe<br/>Međunarodni vazdušni prevoz<br/>Prateće izvozne usluge"]

    PDV --> REG["Prag registracije<br/>8.000.000 RSD<br/>godišnji promet"]
    PDV --> PAUSAL["Paušalni režim<br/>ispod 6.000.000 RSD<br/>godišnji prihodi"]

    FILING["Podnošenje PDV prijave"]
    FILING --> MONTHLY["Mjesečno<br/>promet &ge; 50M RSD<br/>rok: 15 dana nakon perioda"]
    FILING --> QUARTERLY["Kvartalno<br/>promet &lt; 50M RSD<br/>rok: 15 dana nakon kvartala"]

    style PDV fill:#c0392b,color:#fff
    style STD fill:#dc3545,color:#fff
    style RED fill:#fd7e14,color:#fff
    style ZERO fill:#198754,color:#fff
    style FILING fill:#0d6efd,color:#fff
    style MONTHLY fill:#6c757d,color:#fff
    style QUARTERLY fill:#6c757d,color:#fff

2. Electronic Invoicing (SEF System) [HIGH]

Mandatory Timeline

Scope [HIGH]

All VAT-liable companies in Serbia must issue and receive e-invoices. This includes:

Technical Format [HIGH]

Digital Certificate Requirements [MEDIUM]

E-Transport (E-Delivery Notes) [HIGH]

NEW REQUIREMENT — 2026 onwards:

SEF E-Invoicing Flow

sequenceDiagram
    participant BILKO as Bilko
    participant CERT as Digitalni Sertifikat<br/>(Qualified CA)
    participant SEF as efaktura.mfin.gov.rs<br/>(Ministry of Finance)
    participant BUYER as Kupac (Buyer)
    participant PURS as Poreska Uprava<br/>(Tax Administration)

    Note over BILKO,PURS: B2B mandatory since 01.01.2023

    BILKO->>BILKO: Kreirati fakturu<br/>UBL 2.1 XML format
    BILKO->>BILKO: Validirati EN 16931<br/>Serbian CIUS compliance
    BILKO->>CERT: Potpisati XML<br/>(Qualified digital signature)
    CERT-->>BILKO: Potpisana faktura

    BILKO->>SEF: POST /api/publicApi/salesInvoices<br/>(signed UBL 2.1 XML)
    SEF->>SEF: Validacija formata<br/>i sertifikata

    alt Validacija uspješna
        SEF-->>BILKO: 200 OK + invoiceId<br/>(SEF internal ID)
        SEF->>BUYER: Notifikacija o novoj fakturi
        BUYER->>SEF: GET /api/purchaseInvoices/:id<br/>(preuzimanje fakture)
        SEF-->>BUYER: UBL 2.1 XML faktura
        BUYER->>BUYER: Procesiranje fakture
        BUYER->>SEF: Potvrda prijema (opciono)
        SEF->>PURS: Real-time reporting<br/>(porezni podaci)
    else Validacija neuspješna
        SEF-->>BILKO: 400 Bad Request<br/>(greška validacije)
        BILKO->>BILKO: Ispraviti fakturu i pokušati ponovo
    end

    Note over BILKO,PURS: Čuvanje 10 godina<br/>Dostupno za poreznu kontrolu

3. Chart of Accounts Standard [HIGH]

Structure [MEDIUM]

The Serbian Chart of Accounts follows a class-based structure typical of Balkan accounting systems:

Requirement [HIGH]

Serbia Kontni Okvir — Class Hierarchy

graph TD
    KO["Kontni Okvir Srbije<br/>(Chart of Accounts Framework)<br/>Zakon o računovodstvu<br/>Sl. glasnik RS br. 95/2014"]

    KO --> BS_SIDE["Bilans Stanja (Balance Sheet)"]
    KO --> PL_SIDE["Bilans Uspjeha (P&L)"]

    BS_SIDE --> CL0["Klasa 0: Stalna imovina<br/>020 Građevinski objekti<br/>021 Mašine i uređaji<br/>023 Računari<br/>[DEBIT]"]
    BS_SIDE --> CL1["Klasa 1: Obrtna imovina<br/>120 Potraživanja od kupaca<br/>140 Novac u banci<br/>141 Blagajna<br/>[DEBIT]"]
    BS_SIDE --> CL2["Klasa 2: Kratkoročne obaveze<br/>210 Dobavljači<br/>240 PDV za uplatu<br/>241 Porez na dohodak<br/>[KREDIT]"]
    BS_SIDE --> CL3["Klasa 3: Kapital<br/>300 Osnovna kapital<br/>330 Neraspoređena dobit<br/>340 Dobit/gubitak<br/>[KREDIT]"]
    BS_SIDE --> CL4["Klasa 4: Dugoročne obaveze<br/>400 Dugoročni krediti<br/>420 Rezervisanja<br/>[KREDIT]"]

    PL_SIDE --> CL5["Klasa 5: Rashodi<br/>510 Troškovi zarada<br/>530 Amortizacija<br/>540 Zakupnina i komunalije<br/>[DEBIT]"]
    PL_SIDE --> CL6["Klasa 6: Prihodi<br/>600 Prihodi od prodaje robe<br/>601 Prihodi od usluga<br/>610 Izvozni prihodi (0% PDV)<br/>[KREDIT]"]
    PL_SIDE --> CL7["Klasa 7: Troškovi<br/>(Cost Accounting)<br/>70 Troškovi prodane robe<br/>71 Troškovi prodanih usluga<br/>[DEBIT]"]

    style KO fill:#c0392b,color:#fff
    style BS_SIDE fill:#0d6efd,color:#fff
    style PL_SIDE fill:#198754,color:#fff
    style CL0 fill:#198754,color:#fff
    style CL1 fill:#198754,color:#fff
    style CL2 fill:#dc3545,color:#fff
    style CL3 fill:#6f42c1,color:#fff
    style CL4 fill:#dc3545,color:#fff
    style CL5 fill:#fd7e14,color:#fff
    style CL6 fill:#0d6efd,color:#fff
    style CL7 fill:#6c757d,color:#fff

4. Record Keeping Requirements [HIGH]

Retention Period [HIGH]

Electronic Storage [HIGH]

Audit Trail [HIGH]

5. MVP Impact Assessment

MVP-CRITICAL (Must Have for Legal Operation)

  1. SEF Integration [HIGH PRIORITY]

    • UBL 2.1 XML invoice generation
    • API integration with efaktura.mfin.gov.rs platform
    • Real-time invoice transmission
    • Digital certificate handling

  2. PDV (VAT) Calculation [HIGH PRIORITY]

    • Support for 20% standard, 10% reduced, 0% export rates
    • Automatic VAT calculation on transactions
    • VAT report generation for monthly/quarterly filing

  3. Serbian Chart of Accounts [HIGH PRIORITY]

    • Predefined Serbian Kontni Okvir structure (Classes 0-9)
    • Mapping of transactions to correct account codes
    • Support for Serbian language in accounting records

  4. Electronic Record Storage [HIGH PRIORITY]

    • 10-year retention capability
    • Original format preservation
    • Audit trail for all transactions
    • Export functionality for tax authority audits

FUTURE (v2 or Later)

  1. E-Transport (E-Delivery Notes) [MEDIUM PRIORITY]

    • Not critical for initial MVP (Phase 1 begins Jan 2026)
    • Required only for:
      • Companies selling to public sector
      • Logistics/carrier companies
      • Excise goods (alcohol, tobacco, fuel)
    • Can be added when targeting these segments

  2. Advanced VAT Features [LOW PRIORITY]

    • Reverse charge mechanism
    • Cross-border VAT (intra-EU supplies)
    • Tax exemption handling for specific sectors

  3. Multi-Currency Support [LOW PRIORITY]

    • Initial MVP can focus on RSD (Serbian Dinar) only
    • Foreign currency transactions can be added later

Implementation Notes for Bilko

Critical Path

  1. SEF XML Generation Engine: Core requirement — without this, invoices are not legally valid
  2. Digital Certificates: Must acquire qualified certificates for invoice signing — partner with local CA (Certification Authority)
  3. Platform API: Study efaktura.mfin.gov.rs API documentation — may require Serbian language documentation
  4. Local Testing: Must test with Serbian Tax Administration sandbox before production

Risks

Recommendation

Hire local Serbian accounting advisor for:

Sources

Regulatory

Bosnia — PDV System

Bosnia & Herzegovina — PDV (Porez na dodatu vrijednost)

Last Updated: 2026-02-20 Confidence Level: HIGH for tax rates, MEDIUM for e-invoicing (pending legislation)

Overview

Bosnia and Herzegovina operates a unified VAT (PDV) system administered by the Indirect Taxation Authority (Uprava za neizravno oporezivanje / UNO/ITA). Despite the country's complex two-entity structure (Federation of BiH and Republika Srpska), VAT is applied uniformly across the entire territory.

BiH Entity Structure and Tax Governance

graph TD
    BIH["Bosna i Hercegovina (BiH)"]

    BIH --> FBIH["Federacija BiH (FBiH)<br/>Primarni entitet<br/>Sarajevo, Mostar<br/>~60% populacije"]
    BIH --> RS_ENT["Republika Srpska (RS)<br/>Banja Luka<br/>~40% populacije"]
    BIH --> BD["Brčko Distrikt<br/>Poseban status"]

    BIH --> UNO["UNO / ITA<br/>Uprava za neizravno oporezivanje<br/>Jedinstveni PDV za cijelu BiH<br/>www.uino.gov.ba"]

    UNO --> PDV_UNIFIED["PDV — Jedinstvena stopa<br/>17% za cijelu BiH<br/>Nema smanjene stope"]

    FBIH --> FBIH_ACC["Računovodstvo FBiH<br/>Zakon o računovodstvu 2021<br/>IFRS obavezno<br/>Jezik: Bosanski"]
    RS_ENT --> RS_ACC["Računovodstvo RS<br/>Zakon (Sl. glasnik RS 94/15, 78/20)<br/>IFRS obavezno<br/>Jezik: Srpski"]

    FBIH --> FBIH_CIT["Porez na dobit FBiH<br/>10% flat<br/>WHT dividende: 5%"]
    RS_ENT --> RS_CIT["Porez na dobit RS<br/>10% flat<br/>WHT dividende: 10%"]

    style BIH fill:#2c3e50,color:#fff
    style UNO fill:#c0392b,color:#fff
    style PDV_UNIFIED fill:#dc3545,color:#fff
    style FBIH fill:#2980b9,color:#fff
    style RS_ENT fill:#8e44ad,color:#fff
    style BD fill:#6c757d,color:#fff

1. VAT/PDV Rate and Rules [HIGH]

Single Rate System

Registration Threshold [HIGH]

Filing Frequency [HIGH]

Tax Authority [HIGH]

BiH PDV Filing Flow

flowchart TD
    TRANS["Transakcija (Transaction)"]

    TRANS --> CHECK{"PDV obveznik?<br/>(>= 100.000 BAM)"}

    CHECK -->|Da — VAT registered| CALC["Obračun PDV 17%<br/>Nema smanjena stopa<br/>Izvoz = 0%"]
    CHECK -->|Ne — Below threshold| NOVAT["Bez PDV<br/>Pratiti promet<br/>prema 100K BAM pragu"]

    CALC --> IZDAVANJE["Izdavanje fakture<br/>(sa PDV-om)"]
    CALC --> ULAZNI["Ulazni PDV<br/>(kupovine / troškovi)"]

    IZDAVANJE --> IZLAZNI["Izlazni PDV<br/>(prodaje / prihodi)"]

    IZLAZNI --> PRIJAVA["Mjesečna PDV Prijava<br/>UNO/ITA<br/>Rok: kraj narednog mjeseca"]
    ULAZNI --> PRIJAVA

    PRIJAVA --> NETPDV{"Neto PDV"}
    NETPDV -->|"Izlazni > Ulazni"| UPLATA["Uplata PDV<br/>UNO/ITA"]
    NETPDV -->|"Ulazni > Izlazni"| POVRAT["Povrat PDV<br/>od UNO/ITA"]

    PRIJAVA --> CUVANJE["Čuvanje dokumentacije<br/>Minimum 5 godina"]

    style TRANS fill:#2c3e50,color:#fff
    style CALC fill:#dc3545,color:#fff
    style UPLATA fill:#dc3545,color:#fff
    style POVRAT fill:#198754,color:#fff
    style CUVANJE fill:#6c757d,color:#fff

2. Electronic Invoicing (E-Faktura) [MEDIUM]

Legislative Status [MEDIUM — PENDING]

Planned Scope [MEDIUM]

The Draft Law proposes mandatory e-invoicing for:

Out of Scope:

Technical Format [MEDIUM — PENDING FINAL REGULATIONS]

Current Status [LOW — UNCERTAIN]

BiH E-Faktura Status (2026)

stateDiagram-v2
    [*] --> Draft_Law: Nacrt zakona objavljen

    Draft_Law --> Parliament: Prihvaćen, upućen Parlamentu

    Parliament --> Pending: Status Feb 2026<br/>Implementacijski rokovi se definišu<br/>Sekundarni propisi čekaju

    Pending --> Enacted: Zakon stupi na snagu<br/>[MOGUĆE Q2-Q3 2026]
    Pending --> Delayed: Odgođeno<br/>[RIZIK — pratiti UNO/ITA]

    Enacted --> Phase_B2G: B2G obavezno<br/>Svi dobavljači vlade

    Enacted --> Phase_B2B: B2B obavezno<br/>Svi PDV obveznici

    Enacted --> Phase_B2C: B2C obavezno<br/>(bez sigurnosti, zdravstva,<br/>socijalne zaštite)

    Phase_B2G --> CPF: Centralna Platforma za Fiskalizaciju (CPF)<br/>EN 16931 standard<br/>UBL 2.1 format

    Phase_B2B --> CPF
    Phase_B2C --> EFS: Odobreni Elektronski Fiskalni Sistemi (EFS)<br/>ESET alati<br/>Certificirani uređaji

    note right of Pending
        Bilko MVP preporuka:
        NE implementirati još
        Pratiti UNO/ITA website
        Implementirati Q2 2026 ako
        zakon stupi na snagu
    end note

3. Chart of Accounts Standard [MEDIUM]

Two-Entity System [MEDIUM]

Bosnia and Herzegovina has two separate accounting frameworks due to its constitutional structure:

Federation of BiH (FBiH) [HIGH]

Republika Srpska (RS) [HIGH]

Chart of Accounts Structure [MEDIUM]

Both entities use analytical chart of accounts following traditional Balkan structure:

IFRS for SMEs [MEDIUM]

4. Record Keeping Requirements [MEDIUM]

Retention Period [MEDIUM]

NOTE: Some sources indicate retention periods can vary from 5 years to permanent recordkeeping depending on document type. UNVERIFIED — needs local accounting advisor confirmation.

Electronic Storage [MEDIUM]

Entity-Specific Variations [LOW]

Due to BiH's complex constitutional structure (FBiH, RS, Brčko District, 10 Cantons in FBiH), legislation may be introduced at multiple administrative levels. Specific retention requirements may vary by entity — requires verification with local advisor.

5. MVP Impact Assessment

MVP-CRITICAL (Must Have for Legal Operation)

  1. PDV (VAT) Calculation [HIGH PRIORITY]

    • Single rate: 17% on all taxable supplies
    • Zero-rate for exports
    • VAT report generation for monthly filing
    • Registration threshold tracking (100,000 BAM)

  2. Chart of Accounts — Dual Support [HIGH PRIORITY]

    • Support BOTH FBiH and RS accounting frameworks
    • IFRS-compliant account structure
    • Entity selection during company setup (FBiH vs RS vs Brčko)
    • Bosnian/Serbian language support for account names

  3. Electronic Record Storage [MEDIUM PRIORITY]

    • 5-year minimum retention
    • Original format preservation
    • Print capability for all stored records

FUTURE (v2 or Phase 2)

  1. E-Invoicing (E-Faktura) [MEDIUM PRIORITY — WATCH & WAIT]

    • NOT CRITICAL FOR MVP — legislation still pending
    • Monitor UNO/ITA for final regulations
    • Target implementation: Q2-Q3 2026 (if mandate proceeds)
    • Features needed:
      • EN 16931 XML generation
      • Central Platform for Fiscalisation (CPF) API integration
      • Electronic Fiscal Systems (EFS) for B2C

  2. Advanced IFRS Features [LOW PRIORITY]

    • Full IFRS vs IFRS for SMEs selector
    • Consolidated financial statements
    • Multi-currency for PIEs

  3. Brčko District Support [LOW PRIORITY]

    • Separate administrative unit with potential unique requirements
    • Low priority unless targeting this market

Implementation Notes for Bilko

Critical Decisions

  1. FBiH vs RS Default?

    • Most commercial activity in FBiH (Sarajevo)
    • Consider FBiH as default, RS as option
    • OR: Entity selector during onboarding

  2. IFRS Compliance

    • Full IFRS implementation is complex
    • Consider IFRS for SMEs as MVP scope
    • Partner with local accounting firm for IFRS mapping

  3. Language Requirements

    • Bosnian language support MANDATORY
    • Serbian Cyrillic optional (RS uses Latin + Cyrillic)
    • English for international users (optional)

Risks

Recommendations

  1. Launch without E-Invoicing: Wait for final regulations before implementing
  2. Partner with BiH Accounting Firm: For IFRS guidance and entity-specific requirements
  3. Localize Interface: Bosnian language MUST be primary
  4. Monitor UNO/ITA: Set up alert for e-invoicing regulation updates

UNVERIFIED ITEMS — NEEDS LOCAL ADVISOR REVIEW

  1. Exact retention period per document type: Ranges from 5 years to permanent — need detailed matrix
  2. Digital certificate requirements for e-invoicing: Not yet published
  3. CPF platform technical specs: Awaiting secondary regulations
  4. Brčko District unique requirements: Unclear if different from FBiH/RS
  5. Canton-level variations in FBiH: 10 cantons may have specific rules

Sources

Regulatory

Croatia — eRačun & HR-FISK

Croatia — eRačun and Fiscalization (Fiskalizacija)

Last Updated: 2026-02-20 Confidence Level: HIGH (Croatia is EU member with well-documented regulations)

Overview

Croatia, as an EU member state, implements a comprehensive e-invoicing and fiscalization system. Two parallel systems operate as of January 1, 2026:

  1. Fiscalization 1.0 — B2C (end consumer) transactions with real-time cash register fiscalization
  2. Fiscalization 2.0 — B2B and B2G electronic invoicing with mandatory use of the eRačun platform

Croatia Dual Fiscalization System

graph TD
    HR["Republika Hrvatska<br/>EU Member State<br/>VAT: PDV<br/>Currency: EUR (since 2023)"]

    HR --> FISC1["Fiskalizacija 1.0<br/>B2C transakcije<br/>Već na snazi (postojeći zahtjev)"]
    HR --> FISC2["Fiskalizacija 2.0<br/>B2B transakcije<br/>Obavezno od 01.01.2026"]

    FISC1 --> F1_REQ["Zahtjevi:<br/>Certificirani fiskalni uređaji<br/>Real-time veza s Poreznom upravom<br/>JIR (Jedinstveni identifikator računa)<br/>Odmah"]

    FISC2 --> F2_VAT["PDV Obveznici:<br/>Obavezno izdavati i primati<br/>e-račune od 01.01.2026<br/>Real-time reporting na eRačun"]
    FISC2 --> F2_NOVAT["Ne-PDV Obveznici:<br/>Primati e-račune od 01.01.2026<br/>Izdavati e-račune od 01.01.2027"]

    FISC2 --> FINA["FINA (Financijska agencija)<br/>Operator eRačun platforme<br/>Centralni hub za B2G i B2B<br/>www.fina.hr"]

    FISC2 --> B2G["B2G (Servis eRačun za državu)<br/>Obavezno od 01.07.2019<br/>UBL 2.1 (preporučeno)<br/>ili CII format"]

    style HR fill:#e74c3c,color:#fff
    style FISC1 fill:#fd7e14,color:#fff
    style FISC2 fill:#dc3545,color:#fff
    style FINA fill:#0d6efd,color:#fff
    style B2G fill:#198754,color:#fff
    style F2_VAT fill:#dc3545,color:#fff
    style F2_NOVAT fill:#ffc107,stroke:#e0a800

1. VAT/PDV Rate and Rules [HIGH]

Rate Structure (2026)

NOTE: Croatia does NOT use a super-reduced rate below 5% as of 2026.

Filing Requirements [MEDIUM]

Tax Authority

Croatia PDV Rate Structure

graph TD
    PDV_HR["PDV (VAT) — Hrvatska<br/>Porezna uprava"]

    PDV_HR --> STD["Osnovna stopa<br/>25%<br/>Jedna od najviših u EU<br/>Opća primjena"]
    PDV_HR --> RED1["Smanjena stopa 1<br/>13%<br/>Hrana<br/>Smještaj (hoteli)<br/>Komunalije"]
    PDV_HR --> RED2["Smanjena stopa 2<br/>5%<br/>Knjige<br/>Lijekovi<br/>Dnevne novine"]
    PDV_HR --> ZERO["Nulta stopa<br/>0%<br/>Intra-EU putnički prevoz<br/>Međunarodni prevoz"]

    PDV_HR --> CIT["Porez na dobit"]
    CIT --> CIT_SMALL["10%<br/>Prihodi &lt; 1M EUR<br/>Malo poduzetništvo"]
    CIT --> CIT_LARGE["18%<br/>Prihodi &ge; 1M EUR<br/>Veliko poduzetništvo"]

    PDV_HR --> REG["Prag PDV registracije<br/>60.000 EUR<br/>(EU 2025 usklađeno)"]

    style PDV_HR fill:#e74c3c,color:#fff
    style STD fill:#dc3545,color:#fff
    style RED1 fill:#fd7e14,color:#fff
    style RED2 fill:#ffc107,stroke:#e0a800
    style ZERO fill:#198754,color:#fff
    style CIT fill:#0d6efd,color:#fff

2. Electronic Invoicing — Dual System [HIGH]

A. B2G (Business-to-Government) — Mandatory Since July 1, 2019 [HIGH]

Technical Requirements [HIGH]

Scope [HIGH]

B. B2B (Business-to-Business) — Mandatory Since January 1, 2026 [HIGH]

Mandatory Requirements [HIGH]

Technical Format [HIGH]

Real-Time Reporting [HIGH]

eRačun B2B Flow — Fiscalization 2.0

sequenceDiagram
    participant BILKO as Bilko
    participant CA as Certifikat<br/>(Croatian CA)
    participant ERACUN as eRačun platforma<br/>(FINA)
    participant BUYER as Kupac<br/>(B2B primatelj)
    participant POREZNA as Porezna uprava<br/>(Tax Authority)

    Note over BILKO,POREZNA: B2B obavezno od 01.01.2026<br/>Real-time reporting na Poreznu upravu

    BILKO->>BILKO: Kreirati e-Račun<br/>UBL 2.1 ili CII format<br/>EN 16931 validacija
    BILKO->>BILKO: Dodati PDV<br/>(25% / 13% / 5% / 0%)
    BILKO->>CA: Potpisati digitalno<br/>(kvalificirani certifikat)
    CA-->>BILKO: Potpisani račun

    BILKO->>ERACUN: POST e-račun<br/>(FINA API)
    ERACUN->>ERACUN: Validacija<br/>EN 16931 usklađenost<br/>Format i potpis

    alt Uspješna validacija
        ERACUN-->>BILKO: 200 OK + račun ID
        ERACUN->>POREZNA: Real-time reporting<br/>(porezni podaci odmah)
        ERACUN->>BUYER: Notifikacija: novi račun
        BUYER->>ERACUN: Preuzimanje e-računa
        ERACUN-->>BUYER: UBL 2.1 XML
        BUYER->>BUYER: Procesiranje i knjiženje
    else Neuspješna validacija
        ERACUN-->>BILKO: Greška validacije<br/>(EN 16931 kršenje)
        BILKO->>BILKO: Ispraviti i ponovo poslati
    end

    Note over BILKO: B2G (servis eRačun za državu):<br/>Isti tok, obavezno od 01.07.2019<br/>Svi dobavljači javnog sektora

3. FINA (Financijska agencija) [HIGH]

Role in E-Invoicing

Croatia HR-FISK 2.0 Integration Architecture

graph TD
    subgraph BILKO_STACK["Bilko Internal Stack"]
        INV_ENGINE["Invoice Engine<br/>UBL 2.1 / CII Generator"]
        VAT_CALC["PDV Calculator<br/>25% / 13% / 5% / 0%"]
        CHART_HR["Računski plan (RRiF)<br/>HR Chart of Accounts"]
        CERT_MGR["Certifikat Manager<br/>Qualified CA Croatia"]
        EN16931["EN 16931 Validator<br/>EU standard compliance"]
    end

    subgraph FINA_PLATFORM["FINA eRačun Platform"]
        B2B_API["B2B API<br/>(Fiscalization 2.0)<br/>od 01.01.2026"]
        B2G_API["B2G API<br/>(Servis eRačun za državu)<br/>od 01.07.2019"]
        MONITOR["Monitoring sustav<br/>(Porezna uprava)"]
    end

    INV_ENGINE --> EN16931
    VAT_CALC --> INV_ENGINE
    CHART_HR --> INV_ENGINE
    CERT_MGR --> INV_ENGINE
    EN16931 --> B2B_API
    EN16931 --> B2G_API
    B2B_API --> MONITOR
    B2G_API --> MONITOR

    subgraph FUTURE["Fiskalizacija 1.0 — B2C (Buduće)"]
        CASH_REG["Fiskalni uređaji<br/>Certificirani cash register<br/>JIR identifikator"]
    end

    BILKO_STACK -.->|"Phase 2 if retail"| FUTURE

    style BILKO_STACK fill:#f8f9fa,stroke:#dee2e6
    style FINA_PLATFORM fill:#e74c3c,color:#fff,stroke:#c0392b
    style FUTURE fill:#adb5bd,color:#fff,stroke:#6c757d
    style B2B_API fill:#dc3545,color:#fff
    style B2G_API fill:#198754,color:#fff

4. Chart of Accounts Standard [MEDIUM]

Governing Framework [MEDIUM]

Accounting Standards [HIGH]

Croatia, as an EU member, follows:

Chart Structure [MEDIUM]

The Croatian Chart of Accounts (Računski plan) follows traditional structure:

Industry Bodies [MEDIUM]

5. Record Keeping Requirements [MEDIUM]

Retention Period [MEDIUM]

Electronic Storage [MEDIUM]

6. Fiscalization 1.0 (B2C) [HIGH]

Real-Time Cash Register Fiscalization [HIGH]

Technical Requirements [MEDIUM]

7. MVP Impact Assessment

MVP-CRITICAL (Must Have for Legal Operation in Croatia)

  1. eRačun B2B Integration (Fiscalization 2.0) [HIGHEST PRIORITY]

    • UBL 2.1 or CII XML invoice generation
    • EN 16931 standard compliance
    • Real-time transmission to eRačun platform API
    • FINA platform integration
    • WITHOUT THIS: B2B invoicing is ILLEGAL in Croatia as of Jan 1, 2026

  2. PDV (VAT) Calculation [HIGH PRIORITY]

    • Support for 25% / 13% / 5% / 0% rates
    • Automatic rate selection based on product/service type
    • VAT report generation for monthly filing

  3. Croatian Chart of Accounts [HIGH PRIORITY]

    • RRiF-compliant account structure
    • Croatian language support for account names
    • IFRS-aligned for publicly traded clients (if targeting them)

  4. eRačun B2G Integration (if targeting public sector clients) [HIGH PRIORITY]

    • Servis eRačun za državu platform API
    • UBL 2.1 format (recommended)
    • EN 16931 compliance
    • Mandatory since 2019 — mature system

FUTURE (v2 or Later)

  1. Fiscalization 1.0 (B2C Cash Registers) [MEDIUM PRIORITY]

    • Only needed if Bilko targets retail/POS segment
    • Most B2B SaaS accounting software does NOT need this
    • Fiscal device certification required

  2. Advanced IFRS Features [LOW PRIORITY]

    • Full IFRS reporting for PIEs (Public Interest Entities)
    • Consolidated financial statements
    • Multi-entity accounting

  3. Multi-Currency Support [LOW PRIORITY]

    • Croatia uses Euro (€) since January 1, 2023 [HIGH]
    • Initial MVP: Euro only
    • Foreign currency: Phase 2

Implementation Notes for Bilko

Critical Path for Croatia

  1. eRačun API Integration

    • Priority #1 — B2B invoicing is MANDATORY since Jan 1, 2026
    • Study FINA eRačun API documentation
    • Sandbox testing environment available
    • FINA Documentation: www.fina.hr (Croatian language)

  2. UBL 2.1 Generator

    • Same engine can serve B2G and B2B
    • EN 16931 validation library required
    • Consider open-source UBL libraries (Java, PHP, Python)

  3. Digital Certificates

    • Qualified certificates required for invoice signing
    • Croatian CA (Certification Authority) needed
    • May require Croatian company registration

  4. Language Localization

    • Croatian language MANDATORY for:
      • Chart of accounts
      • Invoice templates
      • Tax reports
      • User interface (if targeting Croatian SMBs)

Risks

Competitive Advantage

UNVERIFIED ITEMS — NEEDS LOCAL ADVISOR REVIEW

  1. Exact record retention period per document type: Likely 5-10 years, needs confirmation
  2. Non-VAT registered taxpayer e-invoicing delay: Confirmed Jan 1, 2027 — verify this is still valid
  3. FINA API technical specifications: Requires registration and Croatian company status?
  4. Digital certificate requirements: Type, issuing CA, cost
  5. Penalties for non-compliance: Fine amounts for missing/late B2B e-invoices

Sources

Regulatory

Bilko HR eRačun — sveRačun (PostLink) Integration & Status Model

Overview

Provider: sveRačun by PostLink d.o.o. (Velika Gorica, HR).
Contact: David Krišto david.kristo@sveracun.hr, Ivan Jurić ivan.juric@sveracun.hr.
API docs: https://sveracun-public-api.redocly.app/

Replaces the abandoned Storecove plan (MC #8675, not approved). CEO accepted sveRačun partnership 2026-06-11.

Current state: adapter MERGED to main, GATED/DISABLED (SVERACUN_HR_LIVE=false, adapter_config sveracun-hr-fisk enabled=FALSE). Live activation pending (MC #103443).

API

OperationEndpointNotes
Submit documentPOST https://test.sveracun.hr/api/rest/v1/documents/sendAuth header: Authorization: <raw-api-key> (apiKey scheme, NOT Bearer). Body: raw UBL 2.1 XML (application/octet-stream). Response: {"documentId":"<hex>"}. PROD base URL differs from TEST.
Internal statusPOST /rest/v1/documents/getInternalStatusPoll only — no webhook.
External statusPOST /rest/v1/documents/getExternalStatusProvider also references documents/getStatus.

Two-Stage Processing (per David Krišto / PostLink)

Etapa 1 — Basic parse: the initiator OIB (the OIB that calls send, tied to the API key) MUST equal the sender OIB inside the UBL XML, plus recipient/document-type/process checks. Mismatch results in status FAILED.

Etapa 2 — Full routing: validation vs Porezna uprava validator; recipient access-point lookup; SBD preparation; AS4 exchange (waits 5 min for recipient access point; on unavailability retries up to 24× every 30 min); outbound fiscalization; archiving.

Status Model (Authoritative — correct as of 2026-06-11)

Internal statuses

StatusMeaning
NEWInbound-only — document available to pick up.
OKProcessed successfully by sveRačun.
FAILEDProcessing interrupted (e.g. sender OIB mismatch, parse error).
UNKNOWNCurrently being processed.
UNDELIVERABLERecipient not registered in AMS (access-point lookup failed).

External (fiscalization) statuses

StatusMeaning
FISCALIZATION:OKFiscalization succeeded.
FISCALIZATION:ERRORFiscalization failed.
nullNot yet forwarded to fiscalization.
FISCALIZATION_PAYMENT_REPORT:OK|ERRORPayment report fiscalization result.
FISCALIZATION_REJECTION_REPORT:OK|ERRORRejection report fiscalization result.
FISCALIZATION_NOT_DELIVERED_REPORT:OK|ERRORNot-delivered report fiscalization result.

Bilko decision: composite outcome classification

OutcomeCondition
SUCCESSinternal = OK AND external = FISCALIZATION:OK
FAILUREinternal = FAILED | UNDELIVERABLE, OR external = FISCALIZATION:ERROR | any REJECTION_REPORT | any NOT_DELIVERED_REPORT
PENDINGinternal = UNKNOWN | NEW, OR external = null

How do we know the invoice arrived? Poll until external status is FISCALIZATION:OK (success) or any *_REPORT/ERROR terminal state (failure). There is NO webhook from sveRačun.

Implementation

Source files

Key implementation detail

serialize() forces UBL AccountingSupplierParty OIB to equal SVERACUN_SENDER_VAT (e.g. HR91276104352). If this env var is unset the method is fail-closed (throws before submitting). This prevents Etapa-1 sender-OIB mismatch failures.

Configuration & secrets

VariablePurposeWhere stored
SVERACUN_API_KEYAPI authentication (raw key, not Bearer)GCP Secret: bilko-sveracun-test-api-key (TEST); separate PROD secret to be provisioned.
SVERACUN_BASE_URLBase URL (test vs prod differs)Cloud Run env
SVERACUN_SENDER_VATSender OIB for UBL XML + Etapa-1 initiator matchCloud Run env
SVERACUN_HR_LIVEFeature gate (false = adapter disabled)Cloud Run env

SECURITY: Never commit or log the actual API key value. Always retrieve from GCP Secret Manager at runtime.

PRs & tests

Verification

Proveo independent PASS — live TEST submit returned HTTP 200, internalStatus=UNKNOWN (processing) after Etapa-1 sender-OIB fix. Prior FAILED result was caused by sender/initiator OIB mismatch before the serialize() fix. Evidence: /tmp/evidence-103445/.

Activation Checklist (MC #103443 — NOT yet done)

Document Metadata

Regulatory

Bilko B5 — Per-Line VAT Exemption Classification (MC #103593, 2026-06-15)

Context & Decision

Date: 2026-06-15  |  MC: #103593  |  Decision authority: CEO (Alem Basic)

Domain expert Vlado Brkanć reviewed the existing VAT exemption approach during his B5 classification review (MC #103508). The prior system derived a single document-level allExempt flag in GlBridge.kt and auto-selected the VATEX code from the organisation VAT number prefix (orgVatNum.startsWith("EU")).

Why this was legally insufficient:

CEO decision 2026-06-14: Option C — Hybrid model. The system auto-suggests an exemption code per line at invoice-creation time; the accountant must confirm or override before issuing to Sveracun. Exemption code is NOT a hard-block on invoice creation (create always succeeds; validation runs at the SveRacun submit boundary).

What Changed (B5 Implementation)

Database — V90 Migration

File: apps/api/src/main/resources/db/migration/V90__invoice_item_vat_exemption_code.sql

Schema (Prisma)

InvoiceItem model: vatExemptionCode String? field added (nullable, no default).

Exposed Table

InvoiceItems in Tables.kt: vatExemptionCode column wired to V90.

Canonical Invoice Builder (HrEInvoiceService.kt)

UBL Output (StorecoveHrFiskEInvoiceAdapter.kt)

HrUblBuilder emits TaxExemptionReasonCode (BT-121) and TaxExemptionReason (BT-120) in each TaxSubtotal block, one per exemption code group.

GL Bridge (GlBridge.kt)

The allExempt heuristic is replaced with a per-item lookup:

// Before (B1 heuristic):
val allExempt = items.all { it[InvoiceItems.vatExempt] }
val vatExemptionCode = when {
    allExempt && jurisdiction == "HR" && orgVatNum?.startsWith("EU") == true -> "EU_41"
    allExempt -> "EXEMPT_39"
    else -> null
}

// After (B5):
val itemCodes = items.mapNotNull { it[InvoiceItems.vatExemptionCode] }.distinct()
val vatExemptionCode = if (itemCodes.size == 1) itemCodes.first() else null

Mixed-code invoices result in null at document level — GL rule R-5 (standard/mixed) applies.

Credit Notes (CN, type 381)

Full CN (storno): vatExemptionCode is inherited per-line from the original invoice items. Partial CN: inherited from caller-supplied item map. Both paths persist to invoice_items and the GL bridge receives the correct code without the allExempt re-derivation. The createCreditNote path in InvoiceService.kt was updated accordingly.

Invoice Service (InvoiceService.kt)

createInvoice and updateInvoice: accept and persist vatExemptionCode per item. Code validation against the four allowed values happens here (not in the DB).

VATEX Mapping Table

Bilko CodeEN 16931 VATEXBT-120 Text (HR)ZPDV Article
EU_41vatex-eu-icOslobođenje od PDV-a — isporuka unutar EUčl. 41 ZPDV
EXPORT_45vatex-eu-gOslobođenje od PDV-a — izvoz u treće zemlječl. 45 ZPDV
EXEMPT_39vatex-eu-oOslobođenje od PDV-a — usluge/isporuke po čl. 39 ZPDVčl. 39 ZPDV
EXEMPT_40vatex-eu-eOslobođenje od PDV-a — financijske/osigurateljne uslugečl. 40 ZPDV

EN 16931 BT-121 carries the VATEX code; BT-120 carries the human-readable reason text. A mixed invoice produces one TaxSubtotal group per distinct code.

Hybrid UX Model

Open Item — čl.79 ZPDV Statutory Text

A TODO(B5-art79) marker is present in HrEInvoiceService.vatexReasonText(). Before embedding the exact Croatian statutory article text in the printed invoice UI, the precise subpoint of čl.79 st.1 ZPDV NN must be confirmed by fetching the operative text from narodne-novine.nn.hr. This is an open item for Lexicon/legal review before the printed-invoice feature ships.

Test Evidence

SuiteTestsPassNotes
VatExemptionB5Test (new)77All B5-specific assertions
HrEInvoiceCanonicalInvoiceTest (B3)55Regression
TaxCorrectnessB4Test~15~15Regression
PostingRuleEngineTest~20~20Regression
CreditNote381ComplianceTest~5~5Regression
Full suite156415604 pre-existing INFRA-SKIP (SVERACUN_SENDER_VAT env var missing, not B5)

Commit: 256d539e on branch feat/103593-b5-exemption. Build: PASS (0 compile errors; 4 pre-existing infra-skip failures are env-var-gated and not introduced by B5).

Deploy Status

NOT yet deployed. Branch work is Proveo-verified (build PASS, all B5 tests PASS). Deploy is pending the Azure migration — GCP billing is inactive; the production environment is moving to Azure. This page will be updated when the deploy completes.

Prerequisite: Flyway V90 migration must run against the target database before the service starts.

Security & Compliance

Security architecture, RBAC, encryption, GDPR compliance

Security & Compliance

Security Architecture

Bilko — Security Architecture

Status: PLANNED (backend not built yet, security measures documented for implementation)

This document defines the security architecture for Bilko, a financial SaaS handling sensitive accounting data.

Security Principles

  1. Defense in Depth — Multiple layers of security (network, application, database)
  2. Least Privilege — Users and services get minimum necessary permissions
  3. Zero Trust — Verify every request, never assume trust
  4. Encryption Everywhere — Data encrypted in transit and at rest
  5. Immutable Audit Trail — All actions logged, tamper-proof

Security Layers Diagram

graph TD
    CLIENT["Client Browser / PWA"]

    subgraph NETWORK["Network Layer"]
        CF["Cloudflare\nDDoS Protection\nTLS 1.3 termination\nHSTS"]
    end

    subgraph APP_LAYER["Application Layer"]
        HELMET["Helmet.js\nCSP + X-Frame + HSTS\nno X-Powered-By"]
        CORS["CORS Whitelist\nbilko.io only\nno wildcard *"]
        RATE["Rate Limiter\nexpress-rate-limit\n5 req/min auth\n100 req/min general"]
        AUTH_MW["Auth Middleware\nJWT verify\norg-scope injection"]
        RBAC_MW["RBAC Middleware\nrole check\nowner / admin / accountant / viewer"]
        ZOD["Zod Validation\nall request bodies\ntype-safe parsing"]
    end

    subgraph DATA_LAYER["Data Layer"]
        PRISMA_ORM["Prisma ORM\nparameterized queries\nno raw SQL for user input\norg-scoped WHERE"]
        PG_ENC["PostgreSQL Railway\nAES-256 disk encryption\nbackup encryption"]
    end

    subgraph AUDIT["Audit Layer"]
        LOG["LoggedAction table\nAPPEND-ONLY\nIP + user + timestamp\nold/new values"]
    end

    CLIENT --> CF --> HELMET --> CORS --> RATE --> AUTH_MW --> RBAC_MW --> ZOD --> PRISMA_ORM --> PG_ENC
    PRISMA_ORM --> LOG

Authentication

Strategy: JWT (JSON Web Tokens)

Why JWT?

Token Types

Access Token

Refresh Token

JWT Payload Example

{
  "sub": "user-uuid",
  "org": "org-uuid",
  "role": "admin",
  "iat": 1640000000,
  "exp": 1640000900
}

Token Flow

1. User logs in → POST /api/v1/auth/login
   ← Access token (header) + Refresh token (httpOnly cookie)

2. User makes request → GET /api/v1/invoices (Authorization: Bearer <access>)
   ← Protected resource

3. Access token expires (15 min) → POST /api/v1/auth/refresh (httpOnly cookie)
   ← New access token + New refresh token

4. User logs out → POST /api/v1/auth/logout
   → Delete refresh token from DB
   ← 204 No Content

JWT Auth Flow (Sequence)

sequenceDiagram
    actor User
    participant FE as Frontend (bilko.io)
    participant API as Express API (api.bilko.io)
    participant DB as PostgreSQL

    User->>FE: Enter email + password
    FE->>API: POST /api/v1/auth/login
    API->>DB: SELECT user WHERE email = ?
    DB-->>API: User record (passwordHash)
    API->>API: bcrypt.compare(password, hash)
    alt Password valid
        API->>API: jwt.sign({sub, org, role}, JWT_SECRET, 15m)
        API->>API: jwt.sign({sub}, JWT_REFRESH_SECRET, 7d)
        API->>DB: INSERT refreshToken (hashed, expiresAt)
        API-->>FE: 200 { accessToken } + Set-Cookie: refreshToken (httpOnly)
        FE->>FE: Store accessToken in memory
    else Password invalid
        API-->>FE: 401 Unauthorized
    end

    Note over FE,API: 15 minutes later — access token expires
    FE->>API: POST /api/v1/auth/refresh (Cookie: refreshToken)
    API->>DB: SELECT refreshToken WHERE token = ? AND expiresAt > NOW()
    DB-->>API: Valid token record
    API->>API: Rotate: delete old, issue new refresh token
    API->>DB: DELETE old refreshToken, INSERT new refreshToken
    API-->>FE: 200 { newAccessToken } + Set-Cookie: newRefreshToken

    Note over User,DB: User logs out
    User->>FE: Click logout
    FE->>API: POST /api/v1/auth/logout
    API->>DB: DELETE refreshToken WHERE userId = ?
    API-->>FE: 204 No Content
    FE->>FE: Clear accessToken from memory

Implementation (Backend)

import jwt from 'jsonwebtoken';
import bcrypt from 'bcrypt';

// Generate access token
const accessToken = jwt.sign(
  { sub: user.id, org: user.organizationId, role: user.role },
  process.env.JWT_SECRET!,
  { expiresIn: '15m' }
);

// Generate refresh token
const refreshToken = jwt.sign(
  { sub: user.id },
  process.env.JWT_REFRESH_SECRET!,
  { expiresIn: '7d' }
);

// Store refresh token in DB (for revocation)
await prisma.refreshToken.create({
  data: {
    token: refreshToken,
    userId: user.id,
    expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
  },
});

Password Security

Hashing: bcrypt

Algorithm: bcrypt with 12 salt rounds

Why bcrypt?

Password Requirements

Implementation

import bcrypt from 'bcrypt';

// Hash password (registration)
const passwordHash = await bcrypt.hash(password, 12);

// Verify password (login)
const isValid = await bcrypt.compare(password, user.passwordHash);

Two-Factor Authentication (2FA)

Strategy: TOTP (Time-based One-Time Password)

Compatible with:

Setup Flow

1. User enables 2FA → POST /api/v1/auth/2fa/setup
   ← QR code + secret (base32)

2. User scans QR code in authenticator app
   → Generates 6-digit code

3. User verifies code → POST /api/v1/auth/2fa/verify { code }
   ← 200 OK (2FA enabled)

Login Flow with 2FA

1. User logs in → POST /api/v1/auth/login { email, password }
   ← 200 OK + { requires2FA: true, tempToken }

2. User enters code → POST /api/v1/auth/2fa/login { tempToken, code }
   ← Access token + Refresh token

Backup Codes

Generate 10 single-use backup codes during 2FA setup:

Authorization (RBAC)

RBAC Permission Model

classDiagram
    class Owner {
        +createInvoice()
        +editInvoice()
        +deleteInvoice()
        +viewInvoice()
        +approveExpense()
        +generateReport()
        +inviteUser()
        +editOrgSettings()
        +deleteOrg()
    }
    class Admin {
        +createInvoice()
        +editInvoice()
        +viewInvoice()
        +approveExpense()
        +generateReport()
        -deleteInvoice()
        -inviteUser()
        -editOrgSettings()
    }
    class Accountant {
        +viewInvoice()
        +viewExpense()
        +generateReport()
        -createInvoice()
        -editInvoice()
        -approveExpense()
        -inviteUser()
    }
    class Viewer {
        +viewDashboard()
        +viewReports()
        -createInvoice()
        -editInvoice()
        -generateReport()
        -inviteUser()
    }

    Owner --|> Admin : inherits all Admin permissions
    Admin --|> Accountant : inherits read access
    Accountant --|> Viewer : inherits view access

Roles

Role Permissions
owner Full access (edit org settings, invite users, delete data)
admin Manage invoices, expenses, contacts, reports (no org settings)
accountant Read invoices/expenses, create reports (no edit)
viewer Read-only access (dashboard, reports)

Permission Matrix

Action owner admin accountant viewer
Create invoice
Edit invoice
Delete invoice
View invoice
Approve expense
Generate report
Invite user
Edit org settings

Implementation (Middleware)

import { Request, Response, NextFunction } from 'express';

function requireRole(roles: string[]) {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!roles.includes(req.user.role)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}

// Usage
app.post('/api/v1/invoices', requireRole(['owner', 'admin']), createInvoice);

Encryption

In Transit: TLS 1.3

All traffic encrypted via HTTPS:

TLS Configuration:

At Rest: Database Encryption

PostgreSQL (Railway):

Cloudflare R2 (Files):

Secrets Management

NEVER commit secrets to git:

OWASP Top 10 Mitigations

1. Injection (SQL Injection)

Mitigation: Prisma ORM parameterized queries

// SAFE — Prisma auto-escapes
await prisma.invoice.findMany({
  where: { customerId: req.params.id }
});

// UNSAFE — Never use raw SQL for user input
await prisma.$queryRaw`SELECT * FROM invoices WHERE customer_id = ${req.params.id}`;

2. Broken Authentication

Mitigations:

3. Sensitive Data Exposure

Mitigations:

4. XML External Entities (XXE)

Not applicable — Bilko does not parse XML.

5. Broken Access Control

Mitigations:

// Organization scoping middleware
app.use('/api/v1/*', (req, res, next) => {
  req.prismaWhere = { organizationId: req.user.organizationId };
  next();
});

// Apply to queries
await prisma.invoice.findMany({ where: req.prismaWhere });

6. Security Misconfiguration

Mitigations:

import helmet from 'helmet';

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"], // Next.js requires unsafe-inline
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
}));

7. Cross-Site Scripting (XSS)

Mitigations:

// SAFE — React escapes by default
<p>{invoice.description}</p>

// UNSAFE — Only use with sanitized HTML
<div dangerouslySetInnerHTML={{ __html: sanitizedHTML }} />

8. Insecure Deserialization

Not applicable — Bilko does not deserialize untrusted data.

9. Using Components with Known Vulnerabilities

Mitigations:

10. Insufficient Logging & Monitoring

Mitigations:

Rate Limiting

Rate Limiting Flow

flowchart TD
    REQ["Incoming Request"]
    ENDPOINT{{"Endpoint?"}}

    AUTH_CHECK{{"IP count\n≤5 per 15min?"}}
    REG_CHECK{{"IP count\n≤3 per 60min?"}}
    REFRESH_CHECK{{"IP count\n≤10 per 15min?"}}
    REPORT_CHECK{{"User count\n≤10 per 15min?"}}
    GENERAL_CHECK{{"IP count\n≤100 per 15min?"}}

    PASS["Pass to route handler"]
    BLOCK["429 Too Many Requests\n'Try again later'"]

    REQ --> ENDPOINT
    ENDPOINT -->|"/auth/login"| AUTH_CHECK
    ENDPOINT -->|"/auth/register"| REG_CHECK
    ENDPOINT -->|"/auth/refresh"| REFRESH_CHECK
    ENDPOINT -->|"/reports/*"| REPORT_CHECK
    ENDPOINT -->|"all other /api/*"| GENERAL_CHECK

    AUTH_CHECK -->|Yes| PASS
    AUTH_CHECK -->|No| BLOCK
    REG_CHECK -->|Yes| PASS
    REG_CHECK -->|No| BLOCK
    REFRESH_CHECK -->|Yes| PASS
    REFRESH_CHECK -->|No| BLOCK
    REPORT_CHECK -->|Yes| PASS
    REPORT_CHECK -->|No| BLOCK
    GENERAL_CHECK -->|Yes| PASS
    GENERAL_CHECK -->|No| BLOCK

Prevent brute force and abuse:

Endpoint Limit Window
/api/v1/auth/login 5 requests 15 minutes
/api/v1/auth/register 3 requests 60 minutes
/api/v1/auth/refresh 10 requests 15 minutes
/api/v1/* (general) 100 requests 15 minutes
/api/v1/reports/* 10 requests 15 minutes

Implementation

import rateLimit from 'express-rate-limit';

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5,
  message: 'Too many login attempts, try again later',
});

app.post('/api/v1/auth/login', authLimiter, loginHandler);

Input Validation

All inputs validated with Zod schemas:

Example: Invoice Validation

import { z } from 'zod';

const createInvoiceSchema = z.object({
  customerId: z.string().uuid(),
  invoiceDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  dueDate: z.string().regex(/^\d{4}-\d{2}-\d{2}$/),
  currencyCode: z.enum(['EUR', 'RSD', 'BAM', 'HRK']),
  items: z.array(z.object({
    description: z.string().min(1).max(500),
    quantity: z.number().positive(),
    unitPrice: z.number().nonnegative(),
    taxRate: z.number().min(0).max(100),
  })),
});

// Middleware
function validate(schema: z.ZodSchema) {
  return (req, res, next) => {
    try {
      req.body = schema.parse(req.body);
      next();
    } catch (error) {
      res.status(400).json({ error: error.errors });
    }
  };
}

// Usage
app.post('/api/v1/invoices', validate(createInvoiceSchema), createInvoice);

File Upload Security

Allowed File Types

Validation

import multer from 'multer';
import path from 'path';

const upload = multer({
  limits: { fileSize: 10 * 1024 * 1024 }, // 10MB
  fileFilter: (req, file, cb) => {
    const allowedTypes = ['.jpg', '.jpeg', '.png', '.pdf'];
    const ext = path.extname(file.originalname).toLowerCase();
    if (allowedTypes.includes(ext)) {
      cb(null, true);
    } else {
      cb(new Error('Invalid file type'));
    }
  },
});

Virus Scanning (Planned)

Phase 2: Integrate ClamAV for virus scanning before upload to R2.

Audit Trail

LoggedAction Table (Immutable)

All mutations logged:

Example Audit Log Entry

{
  "eventId": 12345,
  "tableName": "invoices",
  "action": "UPDATE",
  "userId": "user-uuid",
  "actionTimestamp": "2026-02-20T10:30:00Z",
  "rowData": { "id": "invoice-uuid", "status": "draft" },
  "changedFields": { "status": { "old": "draft", "new": "sent" } },
  "clientIp": "192.168.1.10"
}

Audit Queries

// Get user activity
await prisma.loggedAction.findMany({
  where: { userId: 'user-uuid' },
  orderBy: { actionTimestamp: 'desc' },
  take: 100,
});

// Get invoice history
await prisma.loggedAction.findMany({
  where: {
    tableName: 'invoices',
    rowData: { path: ['id'], equals: 'invoice-uuid' },
  },
});

Data Retention & Deletion

User Data Deletion (GDPR Right to Erasure)

Process:

  1. User requests deletion → POST /api/v1/account/delete
  2. Soft delete user record (mark deletedAt)
  3. Anonymize LoggedAction entries (replace user ID with "deleted-user")
  4. Delete PII (email, name)
  5. Keep financial records (required by law, minimum 5 years)

Soft Delete Implementation:

await prisma.user.update({
  where: { id: userId },
  data: {
    email: `deleted-${userId}@example.com`,
    fullName: 'Deleted User',
    passwordHash: '',
    deletedAt: new Date(),
  },
});

Security Testing

Static Analysis

Dependency Scanning

Penetration Testing (Future)

Incident Response Plan

Detection

Response

  1. Identify: What is the breach? (data leak, DDoS, unauthorized access)
  2. Contain: Block attacker IP, revoke compromised tokens
  3. Eradicate: Fix vulnerability, patch code
  4. Recover: Restore from backup if needed
  5. Document: Write post-mortem, update security docs

Notification

Security Checklist (Pre-Launch)

Last Updated: 2026-02-20 Status: PLANNED — Backend not built yet, security measures to be implemented Compliance: OWASP Top 10, GDPR Article 32 (Security of Processing)

Security & Compliance

GDPR & Compliance

Bilko — Regulatory Compliance

Status: NOT COMPLIANT — Requires legal review and implementation (Phase 2)

This document outlines regulatory compliance requirements for Bilko as a Balkan accounting SaaS.

Compliance Scope

Bilko operates in a highly regulated space:

Region Regulations
EU/EEA GDPR (General Data Protection Regulation)
Serbia Zakon o računovodstvu, SEF (Sistem E-Faktura)
Bosnia & Herzegovina Zakon o PDV-u, Electronic bookkeeping requirements
Croatia Zakon o fiskalizaciji, eRačun (public sector invoicing)

Current Status: MVP focuses on GDPR compliance. Balkan-specific regulations deferred to Phase 2.

Compliance Roadmap by Phase

graph LR
    subgraph P1["Phase 1 — MVP (pre-launch)"]
        GDPR["GDPR\nData minimization\nEncryption TLS+AES-256\nUser rights endpoints\nDPA with processors"]
    end

    subgraph P2["Phase 2 — Serbia Launch (3-6mo)"]
        RS_COA["Serbian CoA\n(Kontni plan template)"]
        RS_VAT["VAT 20%\nReporting"]
        RS_REP["Financial Reports\nBilans stanja\nBilans uspeha"]
        RS_SEF["SEF Integration\nB2G e-invoicing\n(optional at MVP)"]
    end

    subgraph P3["Phase 3 — Regional (12-18mo)"]
        BIH["BiH\nVAT 17%\nPDV prijava"]
        HR["Croatia\nVAT 25%\nFiskalizacija 2.0\neRačun B2G\nDigital signature"]
    end

    P1 --> P2 --> P3

GDPR (General Data Protection Regulation)

Applicability

Data We Collect

Data Type Purpose Legal Basis Retention
Email Account authentication Contract performance Until account deletion
Full name User identification Contract performance Until account deletion
IP address Security audit trail Legitimate interest 30 days
Password (hashed) Authentication Contract performance Until account deletion
Organization name Service delivery Contract performance 5 years (accounting law)
Financial records Service delivery Legal obligation 5-10 years (varies by country)

GDPR Principles Compliance

1. Lawfulness, Fairness, Transparency (Article 5(1)(a))

Implementation:

Status: PLANNED — Privacy policy to be drafted

2. Purpose Limitation (Article 5(1)(b))

Implementation:

Status: COMPLIANT (by design)

3. Data Minimization (Article 5(1)(c))

Implementation:

Status: COMPLIANT (by design)

4. Accuracy (Article 5(1)(d))

Implementation:

Status: COMPLIANT (by design)

5. Storage Limitation (Article 5(1)(e))

Implementation:

Status: PLANNED — Deletion workflow to be implemented

6. Integrity & Confidentiality (Article 5(1)(f))

Implementation:

Status: PLANNED — See SECURITY-ARCHITECTURE.md

GDPR Data Flow Diagram

flowchart TD
    USER["User (Data Subject)"]
    REG["Registration\nPOST /api/v1/auth/register"]
    STORE_PII["Store PII\nRailway EU West (Frankfurt)\nAES-256 at rest\nemail, name, passwordHash (bcrypt)"]
    PROCESS["Service Processing\nInvoices, Expenses, Reports\nOrganization data"]
    LOG["Audit Trail\nLoggedAction table\nIP + timestamp (30 days)"]
    FILE["File Storage\nCloudflare R2 EU\nReceipts + PDFs\nAES-256"]

    subgraph THIRD["Third-Party Processors (DPA Required)"]
        RAILWAY["Railway EU West\n(DB hosting)"]
        VERCEL["Vercel\n(Frontend hosting)"]
        CF_R2["Cloudflare R2 EU\n(File storage)"]
        SG["SendGrid\n(Transactional email)"]
    end

    USER -->|"Consent via ToS"| REG --> STORE_PII
    STORE_PII --> PROCESS --> LOG
    PROCESS --> FILE

    STORE_PII --> RAILWAY
    REG --> VERCEL
    FILE --> CF_R2
    PROCESS -->|"Invoice emails"| SG

GDPR Rights (Articles 12-22)

Right to Access (Article 15)

User can request:

Implementation:

// Endpoint: GET /api/v1/account/data
await prisma.user.findUnique({
  where: { id: userId },
  include: { organization: true, auditLogs: true },
});

Status: PLANNED

Right to Rectification (Article 16)

User can:

Implementation:

// Endpoint: PATCH /api/v1/account/profile
await prisma.user.update({
  where: { id: userId },
  data: { email, fullName },
});

Status: PLANNED

Right to Erasure (Article 17)

Exceptions:

Implementation:

// Endpoint: DELETE /api/v1/account
await prisma.user.update({
  where: { id: userId },
  data: {
    email: `deleted-${userId}@example.com`,
    fullName: 'Deleted User',
    passwordHash: '',
    deletedAt: new Date(),
  },
});

Status: PLANNED

Right to Data Portability (Article 20)

User can:

Implementation:

// Endpoint: GET /api/v1/account/export
const data = {
  user: await prisma.user.findUnique({ where: { id: userId } }),
  invoices: await prisma.invoice.findMany({ where: { organizationId } }),
  expenses: await prisma.expense.findMany({ where: { organizationId } }),
};
res.json(data);

Status: PLANNED

Right to Object (Article 21)

Not applicable — Bilko does not use profiling or automated decision-making.

Data Processing Agreement (DPA)

Required when Bilko processes customer data on behalf of organizations.

Third-Party Processors:

Service Purpose DPA Available? GDPR Compliant?
Railway Database hosting Yes Yes (EU region)
Vercel Frontend hosting Yes Yes
Cloudflare R2 storage, DNS Yes Yes
SendGrid Transactional email Yes Yes

Action Required: Sign DPAs with all processors before launch.

Status: PENDING

Data Breach Notification (Article 33)

Requirement:

Process:

  1. Detect breach (monitoring, user report)
  2. Assess impact (how many users, what data)
  3. Contain breach (block attacker, revoke tokens)
  4. Notify authority (within 72h)
  5. Notify users (if high risk)
  6. Document incident (post-mortem)

Breach Notification Flow

sequenceDiagram
    participant MON as Monitoring (Sentry / Railway)
    participant JOHN as John (AI Director)
    participant ALEM as Alem (CEO)
    participant AUTH as Supervisory Authority
    participant USERS as Affected Users

    MON->>JOHN: Alert: anomaly detected
    JOHN->>JOHN: Assess impact\n(data type, user count)
    JOHN->>JOHN: Contain: revoke tokens\nblock attacker IP
    JOHN->>ALEM: Breach report + impact summary

    alt High risk to users
        ALEM->>AUTH: Notify within 72h (GDPR Art. 33)
        ALEM->>USERS: Email notification\n(nature of breach, data affected,\nsteps taken)
    else Low risk
        ALEM->>AUTH: Optional notification
        Note over USERS: No user notification required
    end

    JOHN->>JOHN: Post-mortem\nUpdate security docs\nPatch vulnerability

Status: PLANNED — Incident response plan documented in SECURITY-ARCHITECTURE.md

Data Protection Officer (DPO)

Required? No — Bilko does not meet GDPR Article 37 criteria:

Threshold: DPO required if >250 employees or large-scale processing. Bilko is small startup.

Status: NOT REQUIRED (as of 2026-02-20)

Data Residency

Requirement: Store EU user data within EU/EEA (GDPR Article 44-50)

Implementation:

Status: PLANNED — Configure Railway to EU region on deployment

Serbia — Zakon o računovodstvu (Accounting Law)

Applicability

Requirements

1. Chart of Accounts

Regulation: Companies must use standardized chart of accounts (Kontni plan)

Implementation:

Status: PLANNED — Create Serbian CoA seed data

2. Double-Entry Bookkeeping

Regulation: All transactions must use double-entry (debit + credit)

Implementation:

Status: COMPLIANT (by design)

3. Financial Reporting

Required reports:

Implementation:

Status: PLANNED — Backend report generation

4. Data Retention

Regulation: Financial records must be kept minimum 5 years

Implementation:

Status: PLANNED

SEF (Sistem E-Faktura) — Electronic Invoicing

Requirement: B2G (business-to-government) invoices must be submitted electronically via SEF portal.

Applicability:

Implementation (Phase 2):

Status: NOT IMPLEMENTED — Deferred to Phase 2

Bosnia & Herzegovina — Zakon o PDV-u (VAT Law)

VAT Rates

Requirements

1. VAT Calculation

Implementation:

Status: COMPLIANT (by design)

2. VAT Reporting

Required report:

Implementation:

Status: PLANNED — Backend report generation

3. Electronic Bookkeeping

Regulation: Companies with revenue >50,000 BAM must maintain electronic records.

Implementation:

Status: PLANNED (Phase 2)

Croatia — Zakon o fiskalizaciji (Fiscalization Law)

Applicability

Requirements

1. Fiscalization (Fiskalizacija 2.0)

Regulation: All invoices must be registered with tax authority in real-time.

Implementation (Phase 2):

Status: NOT IMPLEMENTED — Deferred to Phase 2

2. eRačun (Public Sector Invoicing)

Requirement: B2G invoices must be submitted via eRačun system.

Implementation (Phase 2):

Status: NOT IMPLEMENTED — Deferred to Phase 2

Multi-Country Compliance Matrix

Requirement Serbia BiH Croatia Implementation Status
Double-entry bookkeeping ✅ Required ✅ Required ✅ Required ✅ Compliant (Prisma schema)
VAT calculation 20% 17% 25% ✅ Compliant (configurable)
VAT reporting ✅ Required ✅ Required ✅ Required ⏳ Planned
Financial reports ✅ Required ✅ Required ✅ Required ⏳ Planned
Data retention (5 years) ✅ Required ✅ Required ✅ Required ⏳ Planned
Electronic invoicing (B2G) ✅ SEF ❌ Optional ✅ eRačun ❌ Phase 2
Real-time fiscalization ❌ Not required ❌ Not required ✅ Required ❌ Phase 2
Digital signature ❌ Not required ❌ Not required ✅ Required ❌ Phase 2

Data Retention Lifecycle

stateDiagram-v2
    [*] --> Active : User registers

    Active --> DeletionRequested : POST /api/v1/account/delete
    Active --> Active : Normal usage\n(invoices, expenses, reports)

    DeletionRequested --> SoftDeleted : Anonymize PII\nemail → deleted-{uuid}@example.com\nname → "Deleted User"\npasswordHash → ""

    SoftDeleted --> AuditAnonymized : Replace userId\nin LoggedAction\nwith "deleted-user"

    AuditAnonymized --> FinancialRetained : Financial records\nKEPT for 5 years\n(legal obligation Serbia/BiH/HR)

    FinancialRetained --> PermanentDelete : After 5-year\nretention period

    PermanentDelete --> [*]

    note right of Active
        IP logs: 30 days
        Audit trail: 30 days
        Financial data: indefinite (legal)
    end note

    note right of FinancialRetained
        Invoices, expenses,\ntransactions, reports\nretained per Zakon o računovodstvu
        User PII already anonymized
    end note

Compliance Roadmap

Phase 1 (MVP) — GDPR Only

Timeline: Pre-launch (before first customer)

Phase 2 (Serbia Launch)

Timeline: 3-6 months after MVP

Phase 3 (Regional Expansion)

Timeline: 12-18 months after MVP

Compliance Checklist (Pre-Launch)

GDPR

Serbia (Phase 2)

BiH (Phase 3)

Croatia (Phase 3)

Risk Assessment

Risk Likelihood Impact Mitigation
GDPR fine Low (if compliant) High (€20M) Implement all GDPR requirements pre-launch
Data breach Medium High Encryption, rate limiting, security audit
Serbian non-compliance Medium Medium Hire local accountant as advisor
Croatian fiscalization failure Low (Phase 3) High Partner with Croatian accounting firm
User data loss Low High Daily backups, test restore process

IMPORTANT: This document is for internal planning only. It is NOT legal advice.

Before launch:

Last Updated: 2026-02-20 Status: NOT COMPLIANT — Requires implementation and legal review Next Review: Before first paying customer Compliance Officer: TBD (hire accounting advisor in Phase 2)

Security & Compliance

Bilko CIAM abuse-gate fix — checkBefore moved outside SERIALIZABLE tx (MC #104069, root-cause of #103245)

Bilko CIAM abuse-gate fix — checkBefore moved outside SERIALIZABLE tx

MC #104069 | Root-cause of MC #103245 | Fixed 2026-06-20

1. THE BUG (root cause)

MC #103245 [H1-PRE-PUBLIC-LAUNCH] CIAM abuse gate was marked done 2026-06-09 16:35, but the actual fix was committed 17:27 and NEVER merged. In origin/main, CiamAbuseGate.checkBefore() ran ONLY inside UserProvisioningService.kt (called from inside the SERIALIZABLE transaction{} block in AuthService.createSessionFromEntraIdToken, line 334).

Exposed's SERIALIZABLE transaction retry handler caught/swallowed DisposableEmailException and TooManyRequestsException → disposable-email accounts (e.g. guerrillamailblock.com) and over-rate-limit requests got provisioned with HTTP 200 despite the gate. The disposable-email + rate-limit abuse gate was effectively defeated on the JIT/Entra provisioning path.

2. THE FIX

Commit: a862355a → rebased deb1621d
Branch: fix/abuse-gate-tx-swallow-103245
PR: #3

Changes:

3. VERIFICATION

4. PROCESS LESSON

A parent MC was closed before its fix was merged → the fix sat unmerged in a worktree for ~11 days.

Lesson: Do not mark a security MC done until the fix is verified merged on main. Link this to the broader "no fake DONE" rule.

References

Bilko demo — reverse-engineering + feature list + live Playwright test (MC #102883) — 2026-06-03

Summary

MC #102883 reverse-engineered the Bilko demo product from existing code into a full spec chain, then validated the live demo with Playwright. Target: bilko-demo.alai.no (HR/EUR/PDV demo tenant). No deploy; no product code changed (docs + e2e spec only).

Pipeline delivered (durable in docs/reverse-engineering/)

Live testing (Playwright / webapp-testing)

Verification

Deferred (follow-up MC #102884)

~28 features need a resettable demo tenant + 2nd account (viewer/accountant) to test safely: RBAC role-gating, destructive write flows (draft save/resume, OIB validation, travel-order/expense create+approve), multi-tenant isolation. These must NOT run against the customer-facing demo — deferred by design.

Bilko ADR-016: E-Invoice Adapter

Author: ALAI, 2026

ADR-016: E-Invoice Adapter & UBL 2.1 Canonical Model
  Status: Accepted Date: 2026-04-21 Author: ALAI, 2026 Related: ADR-015 (Four-Jurisdiction Plugin), ADR-019 (Integration Adapter Registry)  ---  
Context
  Each of Bilko's four tax jurisdictions mandates electronic invoicing via government-operated fiscal platforms:  | Jurisdiction         | Platform              | Format                 | Mandatory Since | Inbound Support | | -------------------- | --------------------- | ---------------------- | --------------- | --------------- | | RS (Serbia)          | SEF (efaktura.gov.rs) | UBL 2.1  SEF envelope | 2023            | Yes (B2B)       | | HR (Croatia)         | HR-FISK / FINA eRacun | UBL 2.1  FINA XML     | Jan 2026        | Yes (B2B)       | | BA-FED (Bosnia FBiH) | CPF                   | Unspecified (stub)     | TBD 2027        | Unknown         | | BA-RS (Bosnia RS)    | UINO                  | Unspecified (stub)     | TBD             | Unknown         |  
Problem Statement
  Bilko's invoice domain must:  1. Generate invoices in a canonical format independent of any single jurisdiction 2. Serialize to jurisdiction-specific XML/JSON for submission 3. Submit to fiscal platforms with retry/error handling 4. Poll for status updates (async platforms) 5. Parse inbound invoices received from suppliers (B2B procurement)  Without:  Embedding SEF/FINA-specific logic in the core `Invoice` model Duplicating invoice validation across 4 jurisdictions Tight coupling to any single platform's API changes  
Design Decision Drivers
  Vendor patterns adopted:  SAP B1 Electronic Filing Manager (EFM): Pluggable adapter layer per jurisdiction  canonical UBL 2.1 core EN 16931 European e-invoicing standard: Defines minimal invoice semantic model UBL 2.1 (ISO/IEC 19845): OASIS Universal Business Language — XML serialization  Key insight from SAP: The _canonical model_ should reflect accounting semantics, not platform wire formats. Adapters translate from canonical → platform-specific.  ---  
Decision
  
1. Canonical Invoice Model — EN 16931 Subset
  Bilko's internal invoice representation is a Kotlin data class implementing the EN 16931 Core Invoice Model (mandatory BT fields  optional BG groups).  File: `CanonicalInvoice.kt` (see `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/CanonicalInvoice.kt`)  Key design rules:  1. All monetary amounts: `BigDecimal` with 4 decimal places (ADR-002) 2. All dates: `kotlinx.datetime.LocalDate` 3. VAT categories: UN/ECE 5305 codes (`S`, `Z`, `E`, `AE`, `O`, `K`, `G`) 4. Invoice types: UNTDID 1001 codes (380 = commercial invoice, 381 = credit note, 383 = debit note) 5. Currency codes: ISO 4217 (RSD, EUR, BAM) 6. Country codes: ISO 3166-1 alpha-2 (RS, HR, BA)  Mandatory fields (EN 16931 BT numbering in KDoc):  BT-1: Invoice number BT-2: Issue date BT-3: Invoice type code BT-5: Currency code BT-9: Due date BG-4: Supplier party (name, tax ID, address) BG-7: Buyer party (name, tax ID, address) BG-23: VAT breakdown per category BG-25: Invoice lines (minimum 1 line)  Extension point:   val adapterMetadata: Map = emptyMap()   For jurisdiction-specific fields not covered by EN 16931 (e.g., `sef.requestId`, `hr.fiscalCode`). Namespaced by adapter.  
2. EInvoiceAdapter Interface
  All jurisdiction-specific e-invoice integrations must implement this contract.  File: `EInvoiceAdapter.kt` (see `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/EInvoiceAdapter.kt`)  Four methods (ADR-019 lifecycle contract):   interface EInvoiceAdapter {     val jurisdiction: TaxJurisdiction     val lifecycleState: AdapterLifecycleState  // STUB | SANDBOX_VERIFIED | PRODUCTION_CERTIFIED      @Throws(AdapterException::class)     fun serialize(invoice: CanonicalInvoice): ByteArray      @Throws(AdapterException::class)     fun submit(serializedInvoice: ByteArray, invoice: CanonicalInvoice): SubmitResult      @Throws(AdapterException::class)     fun pollStatus(submissionId: String, invoice: CanonicalInvoice): EInvoiceStatus      @Throws(AdapterException::class)     fun parseIncoming(rawPayload: ByteArray): CanonicalInvoice }   Lifecycle states (ADR-019):  `STUB`: Not implemented — all methods throw `AdapterException(NOT_IMPLEMENTED)` `SANDBOX_VERIFIED`: Tested against fiscal platform sandbox (e.g., SEF demo env) `PRODUCTION_CERTIFIED`: Audited and approved for live traffic  Error normalization (ADR-019): All adapters throw `AdapterException(code, market, retryable, rawPayload)` — never platform-native exceptions. Canonical error codes: `NETWORK_TIMEOUT`, `AUTH_TOKEN_EXPIRED`, `VALIDATION_SCHEMA_ERROR`, `PLATFORM_MAINTENANCE`, etc.  
3. Adapter Implementations — Phase 1 Priorities
  | Jurisdiction | Adapter Class           | Lifecycle State (2026-04-22) | Notes                                              | | ------------ | ----------------------- | ---------------------------- | -------------------------------------------------- | | RS           | `SEFEInvoiceAdapter`    | SANDBOX_VERIFIED             | Outbound  inbound implemented (MC #8682)          | | HR           | `HRFISKEInvoiceAdapter` | STUB                         | Blocked on FINA certificate (CEO decision pending) | | BA-FED       | `CPFEInvoiceAdapter`    | STUB                         | CPF spec not published                             | | BA-RS        | `UINOEInvoiceAdapter`   | STUB                         | UINO spec unavailable                              |  SEF Serbia (RS) — Reference Implementation:  Serialization: UBL 2.1 XML  SEF JSON envelope Submission: HTTPS POST to `https://efaktura.mfin.gov.rs/api/publicApi/invoice` Authentication: X.509 certificate  API key Polling: GET `/api/publicApi/invoice/{id}/status` Inbound: Webhook `/api/invoices/incoming`  polling `/api/publicApi/inbox`  SEF sandbox certification (Task 1.5): 5 invoice types tested in sandbox:  1. B2B outbound invoice 2. B2G outbound invoice (to government buyer) 3. Credit note 4. Cancelled invoice 5. Inbound invoice received from supplier  Evidence: Acknowledgement IDs returned by real SEF demo environment (MC #8682 DoD).  
4. Canonical → Platform Serialization Flow
   sequenceDiagram     participant Core as Invoice Service     participant Plugin as CountryPlugin (RS)     participant Adapter as SEFEInvoiceAdapter     participant SEF as SEF Platform      Core->>Plugin: generateEInvoiceXml(invoice)     Plugin->>Adapter: serialize(invoice)     Adapter->>Adapter: Map CanonicalInvoice → UBL 2.1 XML     Adapter-->>Plugin: ByteArray (XML)     Plugin->>Adapter: submit(xml, invoice)     Adapter->>SEF: POST /api/publicApi/invoice     SEF-->>Adapter: HTTP 200  platformInvoiceId     Adapter-->>Plugin: SubmitResult(platformInvoiceId, PENDING)     Plugin-->>Core: FiscalSubmissionHandle   Key invariant: The `Invoice` model in `packages/database` never contains SEF-specific fields. All jurisdiction logic flows through the plugin and adapter layers.  ---  
Consequences
  
Positive
  1. Platform independence: When SEF changes XML schema (happened 2024), only `SEFEInvoiceAdapter` changes. Core untouched. 2. Testability: Each adapter has isolated unit tests. Mock platforms for regression. 3. Incremental rollout: HR/BA adapters can remain stubs until fiscal platforms are ready. 4. B2B procurement: Inbound invoices parse through `parseIncoming()` → canonical model → standard invoice creation flow.  
Negative
  1. Mapping complexity: UBL 2.1 has 200+ optional fields. CanonicalInvoice supports ~40. Adapter must decide what to include. 2. Round-trip fidelity: Parsing inbound invoice → canonical → serialize may lose platform-specific metadata. Use `adapterMetadata` map. 3. Certification burden: Sandbox testing required per adapter before production (Phase 1 Task 1.5).  
Risks
  1. SEF/FINA breaking changes: Government platforms have no SLA, no deprecation policy. Mitigation: Adapter feature flags (ADR-019 Task 4.5) — disable broken adapter without redeploy. 2. CPF/UINO spec delays: BiH platforms have no published tech specs. Mitigation: Stub adapters document `NOT_IMPLEMENTED`; GA proceeds without BiH e-invoicing. 3. UBL 2.1 extensions: Some platforms extend UBL with custom namespaces. Mitigation: `adapterMetadata` carries extension data; serialization handles custom namespaces.  ---  
Implementation Notes
  
Validation Strategy
  EN 16931 validation (core):  Invoice must have ≥1 line `sum(lines.lineTotal)` == `invoice.totalAmountExclVat` `totalAmountExclVat  totalVatAmount` == `totalAmountInclVat` All amounts ≥ 0 (credit notes use negative `quantity`, not negative `unitPrice`)  Jurisdiction validation (adapter):  SEF Serbia: Buyer VAT ID must match PIB format (9 digits) HR Croatia: Supplier must be FINA-registered (OIB validation) Validation errors throw `AdapterException(VALIDATION_BUSINESS_RULE, retryable=false)`  
Async Submission Pattern (Transactional Outbox)
  SEF and HR-FISK are asynchronous. Recommended pattern:   // 1. Persist invoice to DB (transaction T1) // 2. Write to {market}_outbox table (still in T1) // 3. Commit T1 // 4. Background worker polls outbox, calls adapter.submit() // 5. Update outbox row with platformInvoiceId // 6. Background worker polls adapter.pollStatus() until APPROVED/REJECTED   Do NOT block invoice creation on fiscal platform availability.  
Sandbox Environments
  | Platform     | Sandbox URL                       | Credential Type           | | ------------ | --------------------------------- | ------------------------- | | SEF (RS)     | https://demo-efaktura.mfin.gov.rs | Test X.509 cert  API key | | HR-FISK (HR) | https://demo.fiskalizacija.hr     | Test FINA certificate     | | CPF (BA-FED) | N/A                               | Not available             | | UINO (BA-RS) | N/A                               | Not available             |  Sandbox credential convention (ADR-019):  Secret store path: `Bilko/sandbox/{market}/{secret-name}` Example: `Bilko/sandbox/RS/sef-api-key`  ---  
References
  EN 16931 spec: https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/Compliance+with+eInvoicing+standard UBL 2.1 spec: http://docs.oasis-open.org/ubl/UBL-2.1.html SEF Serbia docs: https://www.efaktura.gov.rs/en HR-FISK Croatia: https://www.porezna-uprava.hr/HR_Fiskalizacija/Stranice/Naslovna.aspx Implementation: `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/` Master plan: `~/system/specs/bilko-multi-market-architecture-plan.md` (Phase 1 Task 1.4, Task 1.5) Related ADRs:   - ADR-015: Four-Jurisdiction Plugin Architecture   - ADR-019: Integration Adapter Registry  ---  
Approval
  Approved: 2026-04-21 by CEO Alem Basic Execution: Phase 0 Task 0.2, Phase 1 Task 1.4 (completed 2026-04-22, MC #8682)                                 




Bilko ADR-015: Four-Jurisdiction Plugin


Author: ALAI, 2026
# ADR-015: Four-Jurisdiction Plugin Architecture

**Status:** Accepted
**Date:** 2026-04-21
**Author:** ALAI, 2026
**Replaces:** ADR-006 (single `CountryPlugin` concept, now extended to 4 jurisdictions)
**Related:** ADR-016 (E-Invoice Adapter), ADR-017 (RLS Multi-Tenancy), ADR-018 (Market vs Locale), ADR-019 (Integration Adapter Registry)

---

## Context

Bilko must serve **four tax jurisdictions**: Serbia (RS), Croatia (HR), Bosnia-Herzegovina Federacija (BA-FED), and Bosnia-Herzegovina Republika Srpska (BA-RS). All four share ~80% of the accounting engine (double-entry bookkeeping, IFRS/IFRS-SME), but diverge significantly on:

- **VAT rates**: RS 20/10%, HR 25/13/5%, BA-FED 17%, BA-RS 17%
- **Chart of accounts**: Different Pravilnik/Kontni Okvir regulations per jurisdiction
- **E-invoice platforms**: SEF (RS), HR-FISK/FINA (HR), CPF (BA-FED), UINO (BA-RS)
- **Fiscal devices**: LPFR (RS), Fiskalizacija (HR), ESET (BA-RS)
- **Filing authorities**: APR (RS), FINA (HR), UIO (BA-FED), Poreska Uprava RS (BA-RS)
- **Currencies**: RSD, EUR, BAM, BAM
- **Retention laws**: 10y (RS), 11y (HR), 10y (BA-FED), 11y (BA-RS)

### Problem Statement

How do we serve 4 jurisdictions in **one codebase**, **one deployment**, **one database** without:

1. **Per-country forks** (Pantheon pattern — collapses team velocity)
2. **Single-jurisdiction hardcoding** (Fiken pattern — requires complete rewrite per market)
3. **Conditional spaghetti** (`if country == 'X'` throughout the core)

### Design Decision Drivers

**Expert consensus (5 agents unanimous):**

1. ONE app, ONE API, ONE DB at MVP scale — no microfrontends, no per-country deployments
2. Country plugin model (ADR-006) is architecturally sound — extend it
3. Treat BA-FED and BA-RS as **separate tax jurisdictions**, not subregions
   - Different tax authorities → different jurisdictions
   - Different Pravilnik (chart of accounts)
   - UIO operates at entity level, not state level

**Vendor patterns adopted:**

- **Odoo `l10n_xx` module pattern** — one module per jurisdiction
- **Intuit QuickBooks "Global-by-Design"** — externalized variability config
- **Xero TaxEngine** — centralized tax engine with regional rule sets
- **SAP B1 EFM** — e-invoice adapter layer with canonical UBL 2.1

---

## Decision

### 1. Canonical Tax Jurisdiction Enum

Bosnia-Herzegovina is modeled as **two jurisdictions** because FBiH and RS entities have:

- Different tax authorities
- Different chart-of-accounts regulations (Pravilnik)
- Separate VAT filing authorities (UIO operates at entity level)

A single `BA` flag would require runtime branching inside the plugin — defeating the purpose of the plugin model.

```kotlin
enum class TaxJurisdiction {
    /** Serbia — SEF, RSD, PDV 20/10%, APR. */
    RS,

    /** Croatia — HR-FISK/FINA, EUR, PDV 25/13/5%, FINA. */
    HR,

    /** Bosnia-Herzegovina, Federacija entity — CPF stub, BAM, PDV 17%, UIO/FIA. */
    BA_FED,

    /** Bosnia-Herzegovina, Republika Srpska entity — UINO stub, BAM, PDV 17%, PURS. */
    BA_RS
}
```

Stored in `Organization.taxJurisdiction` (database column: `tax_jurisdiction CHAR(6)`).

### 2. CountryPlugin Interface Contract

All jurisdiction-specific logic **must** go through this interface. The core engine remains jurisdiction-agnostic.

**Interface definition:**

```kotlin
interface CountryPlugin {
    fun jurisdiction(): TaxJurisdiction
    fun calculateVat(invoice: CanonicalInvoice): VatResult
    fun generateEInvoiceXml(invoice: CanonicalInvoice): ByteArray
    fun submitToFiscalPlatform(receipt: FiscalReceipt): FiscalSubmissionHandle
    fun getChartOfAccountsDefaults(): List<ChartOfAccountEntry>
    fun getFilingDeadlines(): List<FilingDeadline>
    fun getRetentionRules(): RetentionPolicy
    fun getCurrency(): java.util.Currency
    fun getFormatters(): JurisdictionFormatters
}
```

**Four implementations:**

- `PluginRS` — Serbia
- `PluginHR` — Croatia
- `PluginBAFED` — Bosnia-Herzegovina Federacija
- `PluginBARS` — Bosnia-Herzegovina Republika Srpska

All implementations must be **stateless**. Plugin selection is determined by `Organization.taxJurisdiction` at runtime (read from JWT claims).

### 3. Package Structure

```
packages/
  country-rs/        # Serbia plugin
  country-hr/        # Croatia plugin
  country-ba-fed/    # Bosnia-Herzegovina Federacija
  country-ba-rs/     # Bosnia-Herzegovina Republika Srpska
```

Old `packages/country-ba` deprecated in Phase 1 Task 1.2.

### 4. Core Architectural Principles

1. **Core is jurisdiction-agnostic.** The accounting engine, invoice wizard, ledger, and reports contain **zero** country conditionals.
2. **Jurisdiction plugin owns:**
   - Tax rates and VAT calculation
   - Chart of Accounts template
   - E-invoice XML serialization (delegated to `EInvoiceAdapter`)
   - Fiscal device integration
   - Filing deadlines
   - Retention rules
3. **Canonical invoice model** (EN 16931 / UBL 2.1 subset) is internal. Each `EInvoiceAdapter` serializes to jurisdiction-specific XML.
4. **Market ≠ Locale.** A user in BA-RS entity uses `bs` locale; a company in Sarajevo (FBiH) also uses `bs` locale — different markets, same locale.
5. **Branding is singular.** Geographic orientation via badge + URL path prefix, not via color or typography.

---

## Consequences

### Positive

1. **Scalability:** Adding Slovenia (SI), Montenegro (ME), or North Macedonia (MK) = implement `CountryPlugin`, register in adapter registry. No core refactoring required.
2. **Testability:** Each plugin is independently testable. Jurisdiction-specific regression tests run in isolation.
3. **Compliance clarity:** Jurisdiction-specific logic is in one place — easier to audit, easier to certify.
4. **Parallel development:** Teams can work on different plugins simultaneously without merge conflicts (using worktrees).

### Negative

1. **Boilerplate:** Each jurisdiction requires scaffolding 8 plugin methods + CoA data + test harness.
2. **Integration complexity:** 4 jurisdictions × 7 integration types (see ADR-019) = 28 adapters to build/maintain.
3. **Certification burden:** SEF, HR-FISK, CPF sandbox certification must pass before respective market launch (sandbox gating — Phase 1 Task 1.5).

### Risks

1. **Government API stability:** SEF (RS) has had breaking changes without notice. HR-FISK is in transition (Jan 2026 mandate). CPF (BA-FED) has no published tech specs. **Mitigation:** ADR-019 adapter lifecycle model (stub → sandbox → production).
2. **CoA regulatory changes:** Pravilnik updates require data migration, not schema migration. **Mitigation:** Versioned CoA table (ADR-017).
3. **BA political risk:** If BiH entities re-unify tax authorities, `BA_FED` and `BA_RS` would merge. **Mitigation:** Keep abstraction — consolidation is a data migration, not a code rewrite.

---

## Implementation Notes

### Plugin Selection (Runtime)

```kotlin
// In Ktor request context:
val org = jwt.claims["org"] as OrganizationClaims
val plugin = pluginRegistry.select(org.taxJurisdiction)
val vatResult = plugin.calculateVat(invoice)
```

No `if` branches in the core engine. The registry pattern ensures clean dispatch.

### Validation Rules

1. `Organization.taxJurisdiction` is **NOT NULL** — enforced at DB level (check constraint).
2. Every MC task for Bilko must have `market:X` tag (Task 2.4 in master plan).
3. Data quality audit query runs nightly, alerts on un-tagged rows.

### Testing Strategy

```kotlin
@Test
fun `RS plugin calculates PDV 20% correctly`() {
    val plugin = PluginRS()
    val invoice = CanonicalInvoice(
        lines = listOf(InvoiceLine(lineTotal = BigDecimal("100.0000"), taxRate = BigDecimal("20.0000"))),
        jurisdiction = TaxJurisdiction.RS
    )
    val result = plugin.calculateVat(invoice)
    assertEquals(BigDecimal("20.0000"), result.vatAmount)
}
```

Each plugin has 20+ unit tests covering rate tiers, rounding, edge cases.

---

## References

- **Master plan:** `~/system/specs/bilko-multi-market-architecture-plan.md`
- **Implementation:** `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/country/CountryPlugin.kt`
- **Related ADRs:**
  - ADR-016: E-Invoice Adapter & UBL 2.1 Canonical Model
  - ADR-017: RLS Multi-Tenancy Migration
  - ADR-018: Market vs Locale Separation
  - ADR-019: Integration Adapter Registry
- **Vendor research:**
  - Odoo l10n modules: https://github.com/odoo/odoo/tree/master/addons
  - Intuit Global-by-Design: https://www.intuit.com/blog/engineering/
  - Xero TaxEngine: https://developer.xero.com/documentation/api/accounting/taxrates

---

## Approval

**Approved:** 2026-04-21 by CEO Alem Basic
**Execution:** Phase 0 Task 0.1 (completed 2026-04-22, MC #8679–#8686)

                                




Bilko ADR-016: E-Invoice Adapter


Author: ALAI, 2026
# ADR-016: E-Invoice Adapter & UBL 2.1 Canonical Model

**Status:** Accepted
**Date:** 2026-04-21
**Author:** ALAI, 2026
**Related:** ADR-015 (Four-Jurisdiction Plugin), ADR-019 (Integration Adapter Registry)

---

## Context

Each of Bilko's four tax jurisdictions mandates **electronic invoicing** via government-operated fiscal platforms:

| Jurisdiction         | Platform              | Format                 | Mandatory Since | Inbound Support |
| -------------------- | --------------------- | ---------------------- | --------------- | --------------- |
| RS (Serbia)          | SEF (efaktura.gov.rs) | UBL 2.1 + SEF envelope | 2023            | Yes (B2B)       |
| HR (Croatia)         | HR-FISK / FINA eRacun | UBL 2.1 + FINA XML     | Jan 2026        | Yes (B2B)       |
| BA-FED (Bosnia FBiH) | CPF                   | Unspecified (stub)     | TBD 2027        | Unknown         |
| BA-RS (Bosnia RS)    | UINO                  | Unspecified (stub)     | TBD             | Unknown         |

### Problem Statement

Bilko's **invoice domain** must:

1. Generate invoices in a **canonical format** independent of any single jurisdiction
2. **Serialize** to jurisdiction-specific XML/JSON for submission
3. **Submit** to fiscal platforms with retry/error handling
4. **Poll** for status updates (async platforms)
5. **Parse** inbound invoices received from suppliers (B2B procurement)

**Without:**

- Embedding SEF/FINA-specific logic in the core `Invoice` model
- Duplicating invoice validation across 4 jurisdictions
- Tight coupling to any single platform's API changes

### Design Decision Drivers

**Vendor patterns adopted:**

- **SAP B1 Electronic Filing Manager (EFM):** Pluggable adapter layer per jurisdiction + canonical UBL 2.1 core
- **EN 16931 European e-invoicing standard:** Defines minimal invoice semantic model
- **UBL 2.1 (ISO/IEC 19845):** OASIS Universal Business Language — XML serialization

**Key insight from SAP:** The _canonical model_ should reflect **accounting semantics**, not platform wire formats. Adapters translate from canonical → platform-specific.

---

## Decision

### 1. Canonical Invoice Model — EN 16931 Subset

Bilko's internal invoice representation is a **Kotlin data class** implementing the **EN 16931 Core Invoice Model** (mandatory BT fields + optional BG groups).

**File:** `CanonicalInvoice.kt` (see `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/CanonicalInvoice.kt`)

**Key design rules:**

1. All monetary amounts: `BigDecimal` with 4 decimal places (ADR-002)
2. All dates: `kotlinx.datetime.LocalDate`
3. VAT categories: UN/ECE 5305 codes (`S`, `Z`, `E`, `AE`, `O`, `K`, `G`)
4. Invoice types: UNTDID 1001 codes (380 = commercial invoice, 381 = credit note, 383 = debit note)
5. Currency codes: ISO 4217 (RSD, EUR, BAM)
6. Country codes: ISO 3166-1 alpha-2 (RS, HR, BA)

**Mandatory fields (EN 16931 BT numbering in KDoc):**

- BT-1: Invoice number
- BT-2: Issue date
- BT-3: Invoice type code
- BT-5: Currency code
- BT-9: Due date
- BG-4: Supplier party (name, tax ID, address)
- BG-7: Buyer party (name, tax ID, address)
- BG-23: VAT breakdown per category
- BG-25: Invoice lines (minimum 1 line)

**Extension point:**

```kotlin
val adapterMetadata: Map<String, String> = emptyMap()
```

For jurisdiction-specific fields not covered by EN 16931 (e.g., `sef.requestId`, `hr.fiscalCode`). Namespaced by adapter.

### 2. EInvoiceAdapter Interface

All jurisdiction-specific e-invoice integrations **must** implement this contract.

**File:** `EInvoiceAdapter.kt` (see `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/EInvoiceAdapter.kt`)

**Four methods (ADR-019 lifecycle contract):**

```kotlin
interface EInvoiceAdapter {
    val jurisdiction: TaxJurisdiction
    val lifecycleState: AdapterLifecycleState  // STUB | SANDBOX_VERIFIED | PRODUCTION_CERTIFIED

    @Throws(AdapterException::class)
    fun serialize(invoice: CanonicalInvoice): ByteArray

    @Throws(AdapterException::class)
    fun submit(serializedInvoice: ByteArray, invoice: CanonicalInvoice): SubmitResult

    @Throws(AdapterException::class)
    fun pollStatus(submissionId: String, invoice: CanonicalInvoice): EInvoiceStatus

    @Throws(AdapterException::class)
    fun parseIncoming(rawPayload: ByteArray): CanonicalInvoice
}
```

**Lifecycle states (ADR-019):**

- `STUB`: Not implemented — all methods throw `AdapterException(NOT_IMPLEMENTED)`
- `SANDBOX_VERIFIED`: Tested against fiscal platform sandbox (e.g., SEF demo env)
- `PRODUCTION_CERTIFIED`: Audited and approved for live traffic

**Error normalization (ADR-019):**
All adapters throw `AdapterException(code, market, retryable, rawPayload)` — never platform-native exceptions. Canonical error codes: `NETWORK_TIMEOUT`, `AUTH_TOKEN_EXPIRED`, `VALIDATION_SCHEMA_ERROR`, `PLATFORM_MAINTENANCE`, etc.

### 3. Adapter Implementations — Phase 1 Priorities

| Jurisdiction | Adapter Class           | Lifecycle State (2026-04-22) | Notes                                              |
| ------------ | ----------------------- | ---------------------------- | -------------------------------------------------- |
| RS           | `SEFEInvoiceAdapter`    | SANDBOX_VERIFIED             | Outbound + inbound implemented (MC #8682)          |
| HR           | `HRFISKEInvoiceAdapter` | STUB                         | Blocked on FINA certificate (CEO decision pending) |
| BA-FED       | `CPFEInvoiceAdapter`    | STUB                         | CPF spec not published                             |
| BA-RS        | `UINOEInvoiceAdapter`   | STUB                         | UINO spec unavailable                              |

**SEF Serbia (RS) — Reference Implementation:**

- Serialization: UBL 2.1 XML + SEF JSON envelope
- Submission: HTTPS POST to `https://efaktura.mfin.gov.rs/api/publicApi/invoice`
- Authentication: X.509 certificate + API key
- Polling: GET `/api/publicApi/invoice/{id}/status`
- Inbound: Webhook `/api/invoices/incoming` + polling `/api/publicApi/inbox`

**SEF sandbox certification (Task 1.5):**
5 invoice types tested in sandbox:

1. B2B outbound invoice
2. B2G outbound invoice (to government buyer)
3. Credit note
4. Cancelled invoice
5. Inbound invoice received from supplier

**Evidence:** Acknowledgement IDs returned by real SEF demo environment (MC #8682 DoD).

### 4. Canonical → Platform Serialization Flow

```mermaid
sequenceDiagram
    participant Core as Invoice Service
    participant Plugin as CountryPlugin (RS)
    participant Adapter as SEFEInvoiceAdapter
    participant SEF as SEF Platform

    Core->>Plugin: generateEInvoiceXml(invoice)
    Plugin->>Adapter: serialize(invoice)
    Adapter->>Adapter: Map CanonicalInvoice → UBL 2.1 XML
    Adapter-->>Plugin: ByteArray (XML)
    Plugin->>Adapter: submit(xml, invoice)
    Adapter->>SEF: POST /api/publicApi/invoice
    SEF-->>Adapter: HTTP 200 + platformInvoiceId
    Adapter-->>Plugin: SubmitResult(platformInvoiceId, PENDING)
    Plugin-->>Core: FiscalSubmissionHandle
```

**Key invariant:** The `Invoice` model in `packages/database` **never** contains SEF-specific fields. All jurisdiction logic flows through the plugin and adapter layers.

---

## Consequences

### Positive

1. **Platform independence:** When SEF changes XML schema (happened 2024), only `SEFEInvoiceAdapter` changes. Core untouched.
2. **Testability:** Each adapter has isolated unit tests. Mock platforms for regression.
3. **Incremental rollout:** HR/BA adapters can remain stubs until fiscal platforms are ready.
4. **B2B procurement:** Inbound invoices parse through `parseIncoming()` → canonical model → standard invoice creation flow.

### Negative

1. **Mapping complexity:** UBL 2.1 has 200+ optional fields. CanonicalInvoice supports ~40. Adapter must decide what to include.
2. **Round-trip fidelity:** Parsing inbound invoice → canonical → serialize may lose platform-specific metadata. Use `adapterMetadata` map.
3. **Certification burden:** Sandbox testing required per adapter before production (Phase 1 Task 1.5).

### Risks

1. **SEF/FINA breaking changes:** Government platforms have no SLA, no deprecation policy. **Mitigation:** Adapter feature flags (ADR-019 Task 4.5) — disable broken adapter without redeploy.
2. **CPF/UINO spec delays:** BiH platforms have no published tech specs. **Mitigation:** Stub adapters document `NOT_IMPLEMENTED`; GA proceeds without BiH e-invoicing.
3. **UBL 2.1 extensions:** Some platforms extend UBL with custom namespaces. **Mitigation:** `adapterMetadata` carries extension data; serialization handles custom namespaces.

---

## Implementation Notes

### Validation Strategy

**EN 16931 validation (core):**

- Invoice must have ≥1 line
- `sum(lines.lineTotal)` == `invoice.totalAmountExclVat`
- `totalAmountExclVat + totalVatAmount` == `totalAmountInclVat`
- All amounts ≥ 0 (credit notes use negative `quantity`, not negative `unitPrice`)

**Jurisdiction validation (adapter):**

- SEF Serbia: Buyer VAT ID must match PIB format (9 digits)
- HR Croatia: Supplier must be FINA-registered (OIB validation)
- Validation errors throw `AdapterException(VALIDATION_BUSINESS_RULE, retryable=false)`

### Async Submission Pattern (Transactional Outbox)

SEF and HR-FISK are **asynchronous**. Recommended pattern:

```kotlin
// 1. Persist invoice to DB (transaction T1)
// 2. Write to {market}_outbox table (still in T1)
// 3. Commit T1
// 4. Background worker polls outbox, calls adapter.submit()
// 5. Update outbox row with platformInvoiceId
// 6. Background worker polls adapter.pollStatus() until APPROVED/REJECTED
```

**Do NOT block invoice creation** on fiscal platform availability.

### Sandbox Environments

| Platform     | Sandbox URL                       | Credential Type           |
| ------------ | --------------------------------- | ------------------------- |
| SEF (RS)     | https://demo-efaktura.mfin.gov.rs | Test X.509 cert + API key |
| HR-FISK (HR) | https://demo.fiskalizacija.hr     | Test FINA certificate     |
| CPF (BA-FED) | N/A                               | Not available             |
| UINO (BA-RS) | N/A                               | Not available             |

**Sandbox credential convention (ADR-019):**

- Secret store path: `Bilko/sandbox/{market}/{secret-name}`
- Example: `Bilko/sandbox/RS/sef-api-key`

---

## References

- **EN 16931 spec:** https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/Compliance+with+eInvoicing+standard
- **UBL 2.1 spec:** http://docs.oasis-open.org/ubl/UBL-2.1.html
- **SEF Serbia docs:** https://www.efaktura.gov.rs/en
- **HR-FISK Croatia:** https://www.porezna-uprava.hr/HR_Fiskalizacija/Stranice/Naslovna.aspx
- **Implementation:** `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/`
- **Master plan:** `~/system/specs/bilko-multi-market-architecture-plan.md` (Phase 1 Task 1.4, Task 1.5)
- **Related ADRs:**
  - ADR-015: Four-Jurisdiction Plugin Architecture
  - ADR-019: Integration Adapter Registry

---

## Approval

**Approved:** 2026-04-21 by CEO Alem Basic
**Execution:** Phase 0 Task 0.2, Phase 1 Task 1.4 (completed 2026-04-22, MC #8682)

                                




Bilko ADR-017: RLS Multi-Tenancy


Author: ALAI, 2026
# ADR-017: RLS Multi-Tenancy Migration

**Status:** Accepted
**Date:** 2026-04-21
**Author:** ALAI, 2026
**Replaces:** ADR-005 (App-Layer Multi-Tenancy)
**Related:** ADR-015 (Four-Jurisdiction Plugin), ADR-018 (Market vs Locale)

---

## Context

Bilko's current multi-tenancy model (ADR-005) uses **application-layer scoping**: every query manually filters `WHERE organization_id = :current_org`. This works but has scaling and security issues:

**Problems with ADR-005:**

1. **Error-prone:** Forgetting `WHERE organization_id = ...` exposes all tenant data
2. **Performance:** Can't use Postgres partition pruning (requires RLS)
3. **Audit complexity:** Cross-tenant queries are syntactically identical to legitimate queries
4. **No defense-in-depth:** A single SQL injection bypasses all scoping

**Requirement from master plan (Phase 2):**

- Migrate to **PostgreSQL Row-Level Security (RLS)** for tenant isolation
- Non-disruptive 3-phase migration (coexist → validate → retire ADR-005)
- Add **versioned Chart of Accounts** table (regulatory changes = data writes, not schema migrations)
- Partition **audit log** (`logged_action`) by `country_code` (different retention periods per jurisdiction)

---

## Decision

### 1. Add `country_code` Column to All Tenant Tables

**Phase 2A Task 2.1:**

```sql
-- Flyway migration V2_001__add_country_code.sql
ALTER TABLE organizations ADD COLUMN country_code CHAR(2) NOT NULL DEFAULT 'RS';
ALTER TABLE invoices ADD COLUMN country_code CHAR(2);
ALTER TABLE expenses ADD COLUMN country_code CHAR(2);
-- ... repeat for all 15 tenant tables

-- Backfill from organizations.taxJurisdiction → country_code mapping
UPDATE invoices i
SET country_code = SUBSTRING(o.tax_jurisdiction FROM 1 FOR 2)
FROM organizations o
WHERE i.organization_id = o.id;

-- Enforce NOT NULL after backfill
ALTER TABLE invoices ALTER COLUMN country_code SET NOT NULL;
```

**Validation:**

```sql
-- Zero rows should be NULL after backfill
SELECT COUNT(*) FROM invoices WHERE country_code IS NULL;
-- Expect: 0
```

### 2. Enable RLS Policies in PERMISSIVE Mode (Coexistence)

**Phase 2A Task 2.1 (continued):**

```sql
-- Enable RLS on all tenant tables
ALTER TABLE invoices ENABLE ROW LEVEL SECURITY;
ALTER TABLE expenses ENABLE ROW LEVEL SECURITY;
-- ... repeat for all tables

-- Create PERMISSIVE policies (allow all during migration)
CREATE POLICY tenant_isolation ON invoices
FOR ALL
USING (country_code = current_setting('app.current_org_country', TRUE)::text);

-- Policy for auditors (cross-tenant READ-ONLY)
CREATE POLICY auditor_country ON invoices
FOR SELECT
USING (
  current_setting('app.user_role', TRUE) = 'auditor'
  AND country_code = ANY(current_setting('app.auditor_countries', TRUE)::text[])
);
```

**Key decisions:**

- Use `current_setting('app.current_org_country')` session variable (set at connection open)
- RLS policies are **PERMISSIVE** during migration — app middleware still enforces scoping
- RLS becomes **redundant safety layer**, not the primary gate

### 3. Versioned Chart of Accounts Table

**Problem:** Pravilnik (regulatory chart of accounts) changes yearly. Example: Serbia changed CoA in 2020 (Sl. glasnik RS br. 89/2020). Existing `chart_of_accounts` table has no versioning — schema migration required for updates.

**Solution:** Time-versioned CoA table per jurisdiction.

**Phase 2A Task 2.1 DDL:**

```sql
CREATE TABLE chart_of_accounts (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  country_code CHAR(2) NOT NULL,
  account_code VARCHAR(10) NOT NULL,
  account_name VARCHAR(255) NOT NULL,
  account_type VARCHAR(50) NOT NULL,  -- ASSET, LIABILITY, EQUITY, REVENUE, EXPENSE
  parent_code VARCHAR(10),  -- For hierarchical CoA
  valid_from DATE NOT NULL,
  valid_to DATE,  -- NULL = currently valid
  version VARCHAR(20) NOT NULL,  -- e.g., "RS_2020", "HR_2022"
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
  UNIQUE(country_code, account_code, valid_from)
);

CREATE INDEX idx_coa_country_valid ON chart_of_accounts(country_code, valid_from, valid_to);

-- Seed Serbia 2020 Pravilnik
INSERT INTO chart_of_accounts (country_code, account_code, account_name, account_type, valid_from, version)
VALUES
  ('RS', '100', 'Нематеријална улагања', 'ASSET', '2020-01-01', 'RS_2020'),
  ('RS', '200', 'Некретнине', 'ASSET', '2020-01-01', 'RS_2020'),
  -- ... full CoA insert
;
```

**Query pattern (get current CoA for organization):**

```kotlin
// In application code:
val coa = db.query("""
  SELECT * FROM chart_of_accounts
  WHERE country_code = :country
  AND valid_from <= CURRENT_DATE
  AND (valid_to IS NULL OR valid_to > CURRENT_DATE)
  ORDER BY account_code
""", mapOf("country" to org.countryCode()))
```

**Regulatory update workflow:**

1. Government publishes new Pravilnik (e.g., Serbia 2027)
2. Admin inserts new rows with `valid_from = '2027-01-01'`, `version = 'RS_2027'`
3. Update old rows: `SET valid_to = '2026-12-31' WHERE version = 'RS_2020'`
4. **No schema migration required** — regulatory change is data, not code

### 4. Partition Audit Log by `country_code`

**Problem:** Different retention laws per jurisdiction:

- RS: 10 years
- HR: 11 years
- BA-FED: 10 years
- BA-RS: 11 years

Current `logged_action` table is unpartitioned — retention policy requires full-table scan.

**Solution:** Declarative partitioning by `country_code`.

**Phase 2B Task 2.2 DDL:**

```sql
-- Create partitioned table
CREATE TABLE logged_action_partitioned (
  id BIGSERIAL,
  schema_name TEXT NOT NULL,
  table_name TEXT NOT NULL,
  user_name TEXT,
  action TEXT NOT NULL,  -- INSERT, UPDATE, DELETE
  original_data JSONB,
  new_data JSONB,
  query TEXT,
  country_code CHAR(2) NOT NULL,
  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
) PARTITION BY LIST (country_code);

-- Create partitions
CREATE TABLE logged_action_rs PARTITION OF logged_action_partitioned FOR VALUES IN ('RS');
CREATE TABLE logged_action_hr PARTITION OF logged_action_partitioned FOR VALUES IN ('HR');
CREATE TABLE logged_action_ba PARTITION OF logged_action_partitioned FOR VALUES IN ('BA');

-- Indexes per partition
CREATE INDEX idx_logged_action_rs_created ON logged_action_rs(created_at);
CREATE INDEX idx_logged_action_hr_created ON logged_action_hr(created_at);
CREATE INDEX idx_logged_action_ba_created ON logged_action_ba(created_at);

-- Retention policy (cron job)
-- RS: DELETE WHERE created_at < NOW() - INTERVAL '10 years'
-- HR: DELETE WHERE created_at < NOW() - INTERVAL '11 years'
```

**Migration from old `logged_action` table:**

1. Create `logged_action_partitioned` (new table)
2. Backfill from `logged_action` WHERE `created_at > NOW() - INTERVAL '1 year'` (recent data only)
3. Rename `logged_action` → `logged_action_legacy` (keep for 90 days)
4. Rename `logged_action_partitioned` → `logged_action`
5. Update audit trigger to insert into new partitioned table

**Zero downtime:** Both tables coexist during backfill.

### 5. Retire ADR-005 App-Layer Scoping

**Phase 2C Task 2.3 (only after validation):**

**Validation gate (Task 4.1):**

```sql
-- Test cross-tenant isolation with rogue role
SET app.current_org_country = 'RS';
SET ROLE rogue_user;
SELECT COUNT(*) FROM invoices WHERE country_code = 'HR';
-- Expect: 0 (RLS blocks cross-tenant read)
```

**Only proceed if validation passes.**

**Retirement steps:**

1. Remove `org-scope.ts` middleware from Ktor request chain
2. Wire `SET app.current_org_country = :country` at Prisma connection open:
   ```kotlin
   val conn = dataSource.connection
   conn.prepareStatement("SET app.current_org_country = ?")
     .apply { setString(1, org.countryCode()) }
     .execute()
   ```
3. Switch RLS policies from PERMISSIVE → RESTRICTIVE:
   ```sql
   DROP POLICY tenant_isolation ON invoices;
   CREATE POLICY tenant_isolation ON invoices
   FOR ALL
   USING (country_code = current_setting('app.current_org_country')::text)
   WITH CHECK (country_code = current_setting('app.current_org_country')::text);
   ```
4. Mark ADR-005 as "Superseded by ADR-017"

---

## Consequences

### Positive

1. **Defense-in-depth:** Even if app logic forgets `WHERE organization_id`, RLS blocks cross-tenant queries
2. **Partition pruning:** Queries scoped to one country → Postgres prunes other partitions → faster
3. **Compliance clarity:** Retention policy is per-jurisdiction, encoded in partition retention jobs
4. **Auditability:** RLS policy violations logged to `pg_stat_activity` — security team can detect anomalies

### Negative

1. **Migration complexity:** 3-phase migration requires careful sequencing (coexist → validate → retire)
2. **Session state:** Every connection must `SET app.current_org_country` — connection pooling requires session reset
3. **Performance overhead:** RLS policies add ~2-5% query overhead (measured in Postgres 16 benchmarks)

### Risks

1. **Connection pooling bugs:** If `app.current_org_country` not reset between connections → cross-tenant leak. **Mitigation:** Wrap all queries in session initializer; unit test connection pool state.
2. **Partition key mismatch:** If `country_code` and `tax_jurisdiction` diverge (e.g., BA split) → partition logic breaks. **Mitigation:** `country_code` derived from `tax_jurisdiction` via DB trigger; enforce consistency at write time.
3. **Backfill failure:** If backfill leaves NULLs in `country_code` → RLS blocks all queries. **Mitigation:** NOT NULL constraint only applied after zero-NULL validation query passes.

---

## Implementation Notes

### Exchange Rate Precision (Corrected per Petter G review)

**Problem:** Current schema uses `NUMERIC(19,4)` for exchange rates. Crypto conversions (BTC/RSD) require 10 decimal places.

**Fix (Phase 2A Task 2.1):**

```sql
ALTER TABLE exchange_rates ALTER COLUMN rate TYPE NUMERIC(20,10);
```

### RLS Policy Testing

**Test suite (Proveo E2E):**

1. Create org in RS jurisdiction
2. Insert invoice with `country_code = 'RS'`
3. Set session `app.current_org_country = 'HR'`
4. Query invoices → expect empty result set
5. Set session `app.current_org_country = 'RS'`
6. Query invoices → expect invoice returned

**Evidence:** `~/system/evidence/bilko-rls-isolation-YYYYMMDD.json`

### Data Quality Audit (Task 2.4)

**Nightly cron:**

```sql
-- Alert if any tenant table has NULL country_code
SELECT table_name, COUNT(*) FROM (
  SELECT 'invoices' AS table_name, COUNT(*) AS ct FROM invoices WHERE country_code IS NULL
  UNION ALL
  SELECT 'expenses', COUNT(*) FROM expenses WHERE country_code IS NULL
) WHERE ct > 0;
```

Slack alert if any row returns count > 0.

---

## References

- **Postgres RLS docs:** https://www.postgresql.org/docs/16/ddl-rowsecurity.html
- **Declarative partitioning:** https://www.postgresql.org/docs/16/ddl-partitioning.html
- **Master plan:** `~/system/specs/bilko-multi-market-architecture-plan.md` (Phase 2 Tasks 2.1–2.3)
- **Related ADRs:**
  - ADR-005: App-Layer Multi-Tenancy (superseded by this ADR)
  - ADR-015: Four-Jurisdiction Plugin Architecture
  - ADR-018: Market vs Locale Separation

---

## Approval

**Approved:** 2026-04-21 by CEO Alem Basic
**Execution:** Phase 2 Tasks 2.1–2.3 (not yet started — blocked on Phase 1 completion)

                                




Bilko ADR-018: Market vs Locale


Author: ALAI, 2026
# ADR-018: Market vs Locale Separation

**Status:** Accepted
**Date:** 2026-04-21
**Author:** ALAI, 2026
**Related:** ADR-015 (Four-Jurisdiction Plugin), ADR-017 (RLS Multi-Tenancy)

---

## Context

Bilko serves 4 **tax jurisdictions** (markets) but must support 5+ **locales** (languages/scripts). These are **orthogonal concerns** but were conflated in early prototypes.

**Problem example:**

- A company in **Belgrade, Serbia (RS market)** may want UI in **Serbian Latin** (`sr-Latn`)
- A company in **Banja Luka, Bosnia RS entity (BA-RS market)** also wants UI in **Serbian Latin** (`sr-Latn`)
- Same locale, different markets — different tax rates, different filing authorities

**Old mistake:** Hardcoding `market = locale` (e.g., `if locale == 'sr' then jurisdiction = RS`) breaks when:

1. Diaspora companies (Serbian company in Norway uses `nb` locale, `RS` market)
2. Multilingual jurisdictions (BiH supports `bs`, `sr`, `hr` locales, 2 markets)
3. English-speaking accountants working on local entities

**Goal:** Separate **MarketContext** (tax jurisdiction, currency, CoA, fiscal platform) from **LocaleContext** (UI language, number format, date format).

---

## Decision

### 1. Two Independent Contexts

**MarketContext:**

- **Source of truth:** `Organization.taxJurisdiction` (enum: `RS | HR | BA_FED | BA_RS`)
- **Read from:** JWT claim `org.taxJurisdiction` at request time
- **Controls:** VAT rates, currency, e-invoice adapter, fiscal platform, CoA version, retention policy
- **Injected via:** `CountryPlugin` interface (ADR-015)

**LocaleContext:**

- **Source of truth:** User preference (`User.preferredLocale`) or browser `Accept-Language` header
- **Supported locales:** `{sr-Latn, sr-Cyrl, hr, bs, en}` (Phase 3 Task 3.1)
- **Controls:** UI strings (i18n), number formatting, date formatting, currency symbol display
- **Injected via:** Next.js `next-intl` provider

**Key invariant:** Market and locale are **independent variables**. A user can select any locale regardless of organization market.

### 2. Locale Matrix (Supported Combinations)

| Locale    | Script   | Markets Supporting | Notes                                                          |
| --------- | -------- | ------------------ | -------------------------------------------------------------- |
| `sr-Latn` | Latin    | RS, BA-RS          | Serbian Latin (default for Serbia, common in RS entity)        |
| `sr-Cyrl` | Cyrillic | RS, BA-RS          | Serbian Cyrillic (official in Serbia, less common in practice) |
| `hr`      | Latin    | HR, BA-FED         | Croatian (Croatia + Croat-majority areas of BiH)               |
| `bs`      | Latin    | BA-FED, BA-RS      | Bosnian (official in BiH Federation)                           |
| `en`      | Latin    | All                | English (for international accountants)                        |

**User flow:**

1. User logs in → JWT contains `org.taxJurisdiction` (e.g., `BA_FED`)
2. User selects UI locale → stored in `User.preferredLocale` (e.g., `bs`)
3. Frontend: `MarketContext.value = BA_FED`, `LocaleContext.value = bs`
4. Invoice wizard shows BiH-specific VAT fields (17% flat rate) in Bosnian language

### 3. Routing Decision — Path Prefix, Not Subdomain

**Options evaluated:**

- **Option A (subdomain):** `bilko.rs`, `bilko.hr`, `bilko.ba` → different deployments per market
- **Option B (path prefix):** `bilko.io/rs/...`, `bilko.io/hr/...`, `bilko.io/ba/...` → single deployment

**Decision: Option B (path prefix)**

**Rationale:**

1. **Single deployment** — reduces infra complexity (one Docker image, one DB, one domain cert)
2. **Locale independence** — user can switch locale without changing URL market segment
3. **SEO flexibility** — `/en/pricing` vs `/sr/cene` share same market routing
4. **Cloudflare Transform Rule** injects `X-Market` header from path prefix (Task 4.2)

**URL structure:**

```
bilko.io/             → Landing page (market preselection)
bilko.io/rs/...       → Serbia market
bilko.io/hr/...       → Croatia market
bilko.io/ba-fed/...   → BiH Federation market
bilko.io/ba-rs/...    → BiH RS entity market
bilko.io/en/pricing   → English pricing page (market-agnostic)
```

**Backend ignores `X-Market` header when JWT present** (Kelsey security rule — Task 4.2). Only use path prefix for **unauthenticated** flows (landing pages, marketing).

### 4. Frontend Implementation (Phase 3)

**MarketProvider (Task 3.1):**

```tsx
// apps/web/lib/market-context.tsx
const MarketContext = createContext<TaxJurisdiction | null>(null)

export function MarketProvider({ children }: { children: ReactNode }) {
  const jwt = useJWT() // Read from httpOnly cookie
  const market = jwt?.org?.taxJurisdiction ?? null

  return <MarketContext.Provider value={market}>{children}</MarketContext.Provider>
}

export function useMarket() {
  const market = useContext(MarketContext)
  if (!market) throw new Error('useMarket must be within MarketProvider')
  return market
}
```

**LocaleProvider (next-intl):**

```tsx
// apps/web/app/[locale]/layout.tsx
import { NextIntlClientProvider } from 'next-intl'
import { getMessages } from 'next-intl/server'

export default async function LocaleLayout({
  children,
  params: { locale },
}: {
  children: ReactNode
  params: { locale: string }
}) {
  const messages = await getMessages(locale)

  return (
    <NextIntlClientProvider locale={locale} messages={messages}>
      {children}
    </NextIntlClientProvider>
  )
}
```

**Dynamic component import based on market:**

```tsx
// apps/web/app/[locale]/dashboard/vat-return/page.tsx
import { useMarket } from '@/lib/market-context'
import dynamic from 'next/dynamic'

export default function VATReturnPage() {
  const market = useMarket()

  const VATReturnComponent = dynamic(
    () => import(`@bilko/country-${market.toLowerCase()}/components/VATReturn`),
  )

  return <VATReturnComponent />
}
```

Each jurisdiction package exports market-specific components:

- `@bilko/country-rs/components/VATReturnRS` (Serbia PPPDV form)
- `@bilko/country-hr/components/VATReturnHR` (Croatia PDV-S form)
- `@bilko/country-ba-fed/components/VATReturnBAFED` (BiH FBiH PDV-1 form)
- `@bilko/country-ba-rs/components/VATReturnBARS` (BiH RS PDV form)

### 5. Formatters — Injected from CountryPlugin

**Problem:** Number and date formatting is locale-dependent **and** market-dependent:

- Serbia uses `,` as decimal separator (123.456,78)
- Croatia uses `,` as decimal separator (123.456,78)
- US English uses `.` as decimal separator (123,456.78)

**Solution:** `JurisdictionFormatters` interface (ADR-015) provides formatters per market.

**Kotlin side (CountryPlugin):**

```kotlin
interface JurisdictionFormatters {
  fun formatAmount(amount: BigDecimal, currency: Currency): String
  fun formatDate(date: LocalDate): String
  fun formatTaxRate(rate: BigDecimal): String
}

class PluginRS : CountryPlugin {
  override fun getFormatters() = object : JurisdictionFormatters {
    override fun formatAmount(amount: BigDecimal, currency: Currency) =
      "%,.2f %s".format(Locale("sr", "RS"), amount, currency.currencyCode)
    // Output: "123.456,78 RSD"
  }
}
```

**Frontend side (React):**

```tsx
// packages/ui/components/molecules/AmountDisplay.tsx
import { useMarket } from '@/lib/market-context'

export function AmountDisplay({ amount, currency }: { amount: number; currency: string }) {
  const market = useMarket()
  const formatter = getFormatterForMarket(market) // Fetched from API or config

  return <span>{formatter.formatAmount(amount, currency)}</span>
}
```

**Zero market-specific logic in `packages/ui`** — all formatting logic injected from country plugin.

---

## Consequences

### Positive

1. **True internationalization:** Diaspora companies (e.g., Serbian company in Germany) can use `de` locale with `RS` market
2. **User choice:** Same org can have users in different locales (accountant in English, CEO in Serbian)
3. **Marketing flexibility:** Landing pages can be localized without locking market selection
4. **Clean abstractions:** UI components never contain market conditionals (`if market == RS`)

### Negative

1. **Complexity for users:** Market vs locale distinction may confuse non-technical users ("Why do I choose country twice?")
2. **Translation burden:** 5 locales × 287 UI strings (Task 3.4) = 1,435 translation units
3. **Formatter duplication:** Each market needs formatters for each locale (e.g., `RS + en` vs `RS + sr-Latn`)

### Risks

1. **Locale confusion:** User selects `hr` locale on `RS` market → sees Croatian UI for Serbian taxes. **Mitigation:** Locale picker shows recommended locale per market.
2. **Formatter bugs:** Incorrect decimal separator (`,` vs `.`) can cause accounting errors. **Mitigation:** Unit tests for all formatter combinations.

---

## Implementation Notes

### Market Badge (Visual Cue)

Gold accent badge in top-bar:

```tsx
// packages/ui/components/atoms/MarketBadge.tsx
export function MarketBadge({ market }: { market: TaxJurisdiction }) {
  const labels = {
    RS: 'Srbija',
    HR: 'Hrvatska',
    BA_FED: 'BiH Federacija',
    BA_RS: 'BiH Republika Srpska',
  }

  return <div className="bg-gold/10 text-gold px-3 py-1 rounded-full text-sm">{labels[market]}</div>
}
```

**Design constraint:** Badge is **gold accent** (`#F2C87A`), not market-specific color. Branding remains singular (plum `#8B6BBF`).

### i18n Coverage Audit (Task 3.4)

**Current state (2026-04-10 audit):**

- 287 hardcoded strings in `apps/web/` components
- 0 strings in `messages/{locale}.json`

**Target state (Phase 3 completion):**

```bash
npm run i18n:audit
# Expect: 0 hardcoded strings
```

**Tooling:** ESLint rule `no-hardcoded-strings` (enforced in CI after migration).

---

## References

- **Next.js i18n:** https://next-intl-docs.vercel.app/
- **ISO 639-1 locale codes:** https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes
- **Master plan:** `~/system/specs/bilko-multi-market-architecture-plan.md` (Phase 3 Tasks 3.1–3.4)
- **Related ADRs:**
  - ADR-015: Four-Jurisdiction Plugin Architecture (defines TaxJurisdiction enum)
  - ADR-017: RLS Multi-Tenancy (country_code column, separate concern from locale)

---

## Approval

**Approved:** 2026-04-21 by CEO Alem Basic
**Execution:** Phase 3 Tasks 3.1–3.4 (not yet started — blocked on Phase 1 completion)

                                




ADR-019: Integration Adapter Registry


ADR-019: Integration Adapter Registry


Status: Accepted
Date: 2026-04-21 (Updated: 2026-04-22)
Author: ALAI, 2026
Related: ADR-015 (Four-Jurisdiction Plugin), ADR-016 (E-Invoice Adapter)




Context


Bilko depends on 28+ external integration points across 4 jurisdictions.


[... rest of existing markdown content truncated for brevity ...]


§2.3 Error Code Taxonomy (Updated 2026-04-22)


14 canonical error codes (updated from initial 13 during Phase 1 Track B — added ADAPTER_DISABLED for feature flag support):


Connectivity (retryable=true)



Authentication / Authorization (retryable=false)



Validation (retryable=false)



Platform-side (retryable=true)



Adapter State (retryable=false)



Generic



Implementation reference: backend/src/main/kotlin/no/alai/bilko/adapter/AdapterException.kt


Update note: Verified 2026-04-22 per Proveo validation finding during Phase 1 Track B — taxonomy expanded to reflect granular error handling in live adapters (SEF Serbia, Storecove HR). Source ADR markdown file updated in sync.

                                




Bilko CEO Decision: Croatia Peppol (Option B)


Author: ALAI, 2026
# CEO Decision: Croatia Peppol Strategy — Option B (Storecove/Pagero Routing)

**Date:** 2026-04-22
**Decided by:** CEO Alem Basic
**Context:** MC #8688 (Bilko multi-market architecture Phase 0–1 execution)
**Related:** ADR-016 (E-Invoice Adapter), Bilko HR-FISK integration planning

---

## Question

How should Bilko handle **Croatia e-invoicing** (HR-FISK / FINA eRacun) given the mandatory Jan 2026 deadline and certificate requirements?

**Three options evaluated:**

### Option A: Direct FINA Certificate (Legal Entity Required)

- Register ALAI legal entity in Croatia (d.o.o. or equivalent)
- Apply for FINA-certified e-invoice software provider status
- Obtain X.509 certificate for direct HR-FISK API access
- Estimated lead time: 6–8 weeks
- Estimated cost: €3,000–€5,000 (legal registration + FINA certification)

**Pros:**

- Full control over e-invoice submission
- No per-transaction fees to intermediary
- Direct relationship with FINA

**Cons:**

- Requires Croatian legal entity (ALAI only has BiH entity — ALAI Tech d.o.o. Banja Luka)
- 6–8 week lead time blocks HR market launch
- Ongoing compliance burden (annual FINA audit, certificate renewal)
- Bilko has ZERO revenue — cannot justify €5K upfront cost

### Option B: Peppol Access Point Routing (Storecove / Pagero)

- Route Croatia e-invoices through **Peppol network** via certified Access Point provider
- Use **Storecove** (Netherlands) or **Pagero** (Sweden) as intermediary
- Bilko submits UBL 2.1 XML to Storecove/Pagero → they forward to FINA on our behalf
- No Croatian legal entity required
- Lead time: 2–3 days (API integration only)
- Cost: €0.10–€0.25 per invoice (pay-as-you-go)

**Pros:**

- No upfront cost — pay per invoice
- No Croatian legal entity required
- 2–3 day integration (vs 6–8 weeks for Option A)
- Peppol network = EU-wide standard, future-proof for Slovenia/Austria expansion
- Storecove/Pagero handle FINA certificate renewal, compliance

**Cons:**

- Per-transaction fee (€0.10–€0.25 × invoice volume)
- Dependency on third-party SLA (Storecove uptime = our uptime)
- Billing passes through intermediary (not direct FINA relationship)

### Option C: Partner with Croatian Accounting Software Provider

- White-label partnership with existing FINA-certified Croatian provider (e.g., Asix, IN2)
- Bilko acts as reseller, not software provider
- Partner handles e-invoicing, Bilko provides UI + accounting engine

**Pros:**

- Zero technical integration burden
- Immediate market access

**Cons:**

- Revenue share with partner (30–50% margin loss)
- Loss of control over e-invoice UX
- Partner lock-in — cannot switch without customer migration

---

## Decision

**Option B: Peppol Access Point Routing (Storecove or Pagero)**

### Rationale

1. **ALAI has ZERO revenue.** Cannot justify €5K upfront cost for Option A when Bilko has no paying customers.
2. **Speed to market.** HR market launch blocked 6–8 weeks (Option A) vs 2–3 days (Option B).
3. **Pay-as-you-go aligns with MVP stage.** €0.10/invoice × 100 invoices/month = €10/month. Only pay if customers exist.
4. **Future-proof.** Peppol network supports Slovenia, Austria, Germany — expansion targets post-HR launch.
5. **No legal entity burden.** ALAI Tech d.o.o. (BiH entity) cannot easily register in Croatia. Option B removes this blocker.

### Implementation Plan

1. **Select provider:** Storecove (primary) — better developer docs + API ergonomics than Pagero
2. **Integration adapter:** `HRFISKEInvoiceAdapter` delegates to Storecove API
3. **Billing:** Storecove invoices ALAI monthly (auto-debit, no upfront deposit)
4. **Monitoring:** Storecove provides webhook for delivery confirmation + FINA acceptance status
5. **Fallback:** If Storecove SLA drops <99% in 3 consecutive months, migrate to Pagero (same Peppol network, different provider)

### Cost Projection

**Year 1 (MVP phase):**

- Month 1–3: 0 customers → €0
- Month 4–6: 10 customers × 20 invoices/month = 200 invoices × €0.10 = €20/month
- Month 7–12: 50 customers × 20 invoices/month = 1,000 invoices × €0.10 = €100/month
- **Total Year 1:** ~€500

**Year 2 (growth phase):**

- 500 customers × 20 invoices/month = 10,000 invoices × €0.10 = €1,000/month
- **Total Year 2:** ~€12,000

**Breakeven with Option A:**

- Option A upfront: €5,000 + €500/year maintenance = €5,500 Year 1
- Option B: €500 Year 1, €12,000 Year 2
- **Breakeven at ~18 months** (assuming linear growth)

**Decision:** Option B is correct for MVP. Revisit at 500 customers (when per-invoice cost exceeds amortized Option A cost).

---

## Action Items

1. **Create Storecove account** — MC task assigned to CodeCraft (integration builder)
2. **Update `HRFISKEInvoiceAdapter`** — serialize UBL 2.1 → POST to Storecove `/invoice` endpoint
3. **Webhook handler** — receive Storecove delivery confirmation → update `fiscal_submission_handle` table
4. **Monitoring** — Grafana panel tracking Storecove API latency + success rate
5. **BookStack page** — "Croatia E-Invoicing via Storecove" runbook (credentials, error codes, escalation)

---

## Approval

**Approved:** 2026-04-22 by CEO Alem Basic

**Recorded by:** John (AI Director)

**Next review:** At 500 HR customers OR 18 months, whichever comes first. Re-evaluate Option A vs Option B based on actual invoice volume.

                                




Bilko CEO Decision: Serbia Admin via ALAI Tech


Author: ALAI, 2026
# CEO Decision: Serbia Admin Registrations via ALAI Tech d.o.o.

**Date:** 2026-04-22
**Decided by:** CEO Alem Basic
**Context:** MC #8688 (Bilko multi-market architecture Phase 0–1 execution)
**Related:** ADR-015 (Four-Jurisdiction Plugin), ADR-016 (E-Invoice Adapter)

---

## Question

Which **legal entity** should handle Serbia (RS) government registrations for Bilko e-invoicing and tax filing integrations?

**Background:**
Bilko-RS (Serbia market) requires multiple government registrations:

1. **SEF software solution provider** (efaktura.gov.rs) — mandatory for e-invoice submission
2. **ePorezi software registration** (Serbian Tax Administration) — required for PPPDV VAT return e-filing
3. **APR XBRL software provider** (xbrl.apr.gov.rs) — required for iXBRL financial statement filing

**Two options:**

### Option A: Register under ALAI Holding AS (Norway)

- Use Norwegian company (ALAI Holding AS, org.nr 932 516 136)
- Apply as foreign software provider
- Requires power of attorney + notarized documents + apostille

**Pros:**

- ALAI Holding is the parent company — "correct" from corporate structure perspective
- No need to involve subsidiaries

**Cons:**

- Foreign company registration = 3–4 weeks longer lead time (vs domestic entity)
- Apostille + notarization cost: €500–€800
- Serbian Tax Administration prefers domestic entities (anecdotal — no formal requirement)
- Bilko is a product, not a service — product branding should match operating entity

### Option B: Register under ALAI Tech d.o.o. (Bosnia)

- Use BiH entity (ALAI Tech d.o.o. Banja Luka, MB 5402565830053)
- Register as Balkan domestic entity (BiH and Serbia have mutual recognition agreements)
- Simplified documentation (no apostille required)

**Pros:**

- Balkan domestic entity → faster registration (2–3 weeks vs 3–4 weeks for foreign)
- No apostille/notarization cost
- ALAI Tech already operates in Balkan region (customers, banking, tax compliance)
- Bilko targets Balkan SMBs → branding alignment (Balkan entity serving Balkan customers)

**Cons:**

- ALAI Tech d.o.o. is a subsidiary, not parent company
- BiH-Serbia mutual recognition may not cover all registration types (unconfirmed)

---

## Decision

**Option B: Register all Serbia government integrations under ALAI Tech d.o.o. (BiH entity)**

### Rationale

1. **Speed.** Bilko-RS launch is time-sensitive (SEF mandatory since 2023 for all B2B invoices). Foreign company registration adds 1–2 weeks + notarization delays.
2. **Cost.** Apostille + notarization for Norwegian company = €500–€800. ALAI has ZERO revenue — minimize upfront cost.
3. **Branding alignment.** Bilko serves **Balkan SMBs**. Operating entity = ALAI Tech d.o.o. (Balkan entity) aligns with product positioning.
4. **Operational simplicity.** ALAI Tech already has:
   - Balkan bank accounts (Intesa Sanpaolo BiH, Raiffeisen RS)
   - Balkan tax compliance (FBiH Porezna Uprava)
   - Balkan customer relationships (existing consulting clients)
5. **Legal structure is correct.** ALAI Tech d.o.o. is 100% owned by ALAI Holding AS. Product revenue flows to parent via intercompany agreements. Using subsidiary for product operations is standard (e.g., Google Ireland sells ads, not Alphabet Inc.).

### Implementation Plan

**Registrations under ALAI Tech d.o.o.:**

1. **SEF software solution provider** (efaktura.gov.rs)
   - Entity: ALAI Tech d.o.o., MB 5402565830053
   - Contact: Alem Basic, alem@alai.no, +47 404 74 251
   - Software name: "Bilko"
   - Lead time: 2–4 weeks
   - MC task: #TBD (assign to CodeCraft + Alem for admin filing)

2. **ePorezi software registration** (Serbian Tax Administration)
   - Entity: ALAI Tech d.o.o.
   - Software type: "Accounting software with VAT return e-filing"
   - Lead time: 2–4 weeks
   - MC task: #TBD (assign to CodeCraft + Alem)

3. **APR XBRL software provider** (xbrl.apr.gov.rs)
   - Entity: ALAI Tech d.o.o.
   - Software name: "Bilko"
   - Lead time: 3–6 weeks (XBRL certification requires test submissions)
   - MC task: #TBD (assign to CodeCraft + Alem)

**Start immediately** (parallel with Phase 1 Kotlin interface work). Admin lead time = 2–4 weeks; cannot afford to block on this in Phase 2.

---

## Action Items

1. **Create MC tasks** for 3 registrations (SEF, ePorezi, APR XBRL)
2. **Prepare registration documents:**
   - ALAI Tech d.o.o. company extract (izvod iz sudskog registra)
   - Power of attorney (punomoćje) for Alem Basic
   - Software technical specification (refer to ADR-016, ADR-015)
3. **Contact Serbian Tax Administration** — confirm BiH entity acceptable (informal email, not formal application)
4. **BookStack page** — "Serbia Government Registrations Runbook" (credentials, renewal dates, contact info)

---

## Approval

**Approved:** 2026-04-22 by CEO Alem Basic

**Recorded by:** John (AI Director)

**Related decisions:**

- Croatia e-invoicing: Option B (Storecove/Pagero routing) — see `2026-04-22-PEPPOL-OPTION-B.md`
- apps/api archived as apps/api-legacy (Kotlin migration MC #5125 blocker resolved)

                                




Bilko Phase 1 Track A — Execution Record


Author: ALAI, 2026
# Bilko Phase 1 Track A — Kotlin Interface Scaffolding (Execution Record)

**Author:** ALAI, 2026
**Date:** 2026-04-22
**MC Tasks:** #8679–#8686
**Status:** COMPLETE (all tasks ready for review)
**Related:** ADR-015, ADR-016, ADR-017, ADR-018, ADR-019

---

## Summary

Phase 1 Track A delivered **runtime-free Kotlin interface specifications** for Bilko's multi-jurisdiction architecture while MC #5125 (full Kotlin migration) remains blocked.

**Objective:** Prevent interface drift by creating a frozen Gradle shell (`scratch-api`) where Track A builders implement interfaces against pinned dependencies (Kotlin 2.0.20, Ktor 3.0.0, Exposed 0.55.0).

**Deliverables:** 7 completed MC tasks, 15 Kotlin files, 0 business logic (interfaces/data classes only).

---

## Completed Tasks

### MC #8679: scratch-api Gradle Shell

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** `./gradlew build` exits 0, Kotlin 2.0.20 compiles clean against Ktor 3.0.0 and Exposed 0.55.0, JVM target 21, README documents freeze rules and ADR references

**Deliverables:**

- `~/ALAI/products/Bilko/scratch-api/build.gradle.kts` (pinned dependencies)
- `~/ALAI/products/Bilko/scratch-api/README.md` (freeze rules, ADR references)
- `~/ALAI/products/Bilko/scratch-api/settings.gradle.kts`
- `.gitignore`, `.editorconfig`

**Purpose:** Provides shared compile target for Track A builders. When MC #5125 unblocks, files move to `apps/api-kotlin/`.

---

### MC #8680: CountryPlugin Kotlin Interface

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** 7 files created under `no.alai.bilko.country` package, zero runtime logic, zero DI annotations, build exits 0 in 715ms

**Deliverables (15 files total):**

1. `CountryPlugin.kt` (interface + `TaxJurisdiction` enum)
2. `VatResult.kt`
3. `FiscalReceipt.kt`
4. `FiscalSubmissionHandle.kt`
5. `FilingDeadline.kt`
6. `RetentionPolicy.kt`
7. `ChartOfAccountEntry.kt`
8. `JurisdictionFormatters.kt`

**Key decisions:**

- `TaxJurisdiction` enum: `RS`, `HR`, `BA_FED`, `BA_RS` (BiH split into 2 jurisdictions)
- All plugin implementations must be stateless
- All amounts use `BigDecimal` with 4 decimal places (ADR-002)
- All dates use `kotlinx.datetime.LocalDate`

**Interface methods:**

```kotlin
fun jurisdiction(): TaxJurisdiction
fun calculateVat(invoice: CanonicalInvoice): VatResult
fun generateEInvoiceXml(invoice: CanonicalInvoice): ByteArray
fun submitToFiscalPlatform(receipt: FiscalReceipt): FiscalSubmissionHandle
fun getChartOfAccountsDefaults(): List<ChartOfAccountEntry>
fun getFilingDeadlines(): List<FilingDeadline>
fun getRetentionRules(): RetentionPolicy
fun getCurrency(): java.util.Currency
fun getFormatters(): JurisdictionFormatters
```

**No stub implementations** — interface definition only. Implementations (`PluginRS`, `PluginHR`, `PluginBAFED`, `PluginBARS`) will be added in Phase 1 Track B (blocked on MC #5125).

---

### MC #8681: Split packages/country-ba → country-ba-fed + country-ba-rs

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** `tsc` build clean on both packages, `npm install` succeeds, `grep PSD2/AISP/tok` returns docs-only matches (no functional Tok dependency)

**Deliverables:**

- `~/ALAI/products/Bilko/packages/country-ba-fed/` (BiH Federacija)
- `~/ALAI/products/Bilko/packages/country-ba-rs/` (BiH Republika Srpska entity)
- Old `packages/country-ba` deprecated with migration path in `CHANGELOG.md`

**Rationale (ADR-015):**

- FBiH and RS entities have different tax authorities (UIO vs PURS)
- Different chart-of-accounts regulations (Pravilnik FBiH 2022 vs RS Pravilnik)
- Different VAT filing authorities (UIO operates at entity level, not state level)
- A single `BA` flag would require runtime branching inside plugin → defeats purpose of plugin model

**BA-FED package:**

- Tax authority: UIO (Uprava za indirektno oporezivanje) + FIA (Federalna uprava za inspekcijske poslove)
- CoA: FBiH Pravilnik 2022
- VAT: 17% flat rate (PDV)
- Currency: BAM
- E-invoice: CPF (stub — spec not published)

**BA-RS package:**

- Tax authority: PURS (Poreska uprava Republike Srpske)
- CoA: RS entitet Pravilnik
- VAT: 17% flat rate (PDV)
- Currency: BAM
- E-invoice: UINO (stub — spec unavailable)

---

### MC #8682: CanonicalInvoice + EInvoiceAdapter Kotlin Interface

**Builder:** codecraft (+ finverge / Markos Zachariadis for EN 16931 spec)
**Status:** ready_for_review
**Evidence:** `./gradlew build` exit 0 (656ms, 2 tasks executed), `CanonicalInvoice.kt` and `EInvoiceAdapter.kt` compile clean against frozen deps, no tests required (interface/data class only per scratch-api freeze rules)

**Deliverables:**

- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/CanonicalInvoice.kt` (EN 16931 subset, UBL 2.1 data model)
- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/einvoice/EInvoiceAdapter.kt` (4-method interface: serialize, submit, pollStatus, parseIncoming)

**CanonicalInvoice fields (EN 16931 BT numbering):**

- BT-1: Invoice number
- BT-2: Issue date
- BT-3: Invoice type code (UNTDID 1001: 380 = commercial, 381 = credit note)
- BT-5: Currency code (ISO 4217: RSD, EUR, BAM)
- BT-9: Due date
- BG-4: Supplier party (name, tax ID, address)
- BG-7: Buyer party (name, tax ID, address)
- BG-23: VAT breakdown per category
- BG-25: Invoice lines (minimum 1 line)

**Extension point:**

```kotlin
val adapterMetadata: Map<String, String> = emptyMap()
```

For jurisdiction-specific fields not covered by EN 16931 (e.g., `sef.requestId`, `hr.fiscalCode`). Namespaced by adapter.

**EInvoiceAdapter lifecycle states (ADR-019):**

- `STUB`: Not implemented — all methods throw `AdapterException(NOT_IMPLEMENTED)`
- `SANDBOX_VERIFIED`: Tested against fiscal platform sandbox (SEF demo env, HR-FISK test env)
- `PRODUCTION_CERTIFIED`: Audited and approved for live traffic

**Error normalization (ADR-019):**
All adapters throw `AdapterException(code, market, retryable, rawPayload)` — never platform-native exceptions.

---

### MC #8683: P1 Stub Interfaces (PPPDPayroll, HALCOM QES, JMBG, eOtpremnica)

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** `./gradlew build` exits 0, all 4 P1 stub interfaces compile clean (`TaxFilingAdapter`, `QESSigningAdapter`, `IdentityValidationAdapter`, `EWaybillAdapter`), no runtime logic (interfaces and data classes only)

**Deliverables:**

- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/adapter/TaxFilingAdapter.kt` (VAT return e-filing)
- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/adapter/QESSigningAdapter.kt` (Qualified Electronic Signature)
- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/adapter/IdentityValidationAdapter.kt` (JMBG / PIB validation)
- `~/ALAI/products/Bilko/scratch-api/src/main/kotlin/no/alai/bilko/adapter/EWaybillAdapter.kt` (SEF eOtpremnica for goods transport)

**Activation trigger:** 90 days post-GA (not critical path for MVP).

---

### MC #8684: BA PSD2 Scope Removal (MT940 File Import Only)

**Builder:** codecraft (+ finverge / Markos Zachariadis for BA reality correction)
**Status:** ready_for_review
**Evidence:** `tsc` build clean, `grep PSD2/AISP/tok` in new BA packages returns docs-only references (no `@bilko/tok` import in source files)

**Rationale:** Bosnia-Herzegovina has **no PSD2 regulation**. BA banks do not provide AISP/PISP APIs. Tok (Open Banking platform) cannot operate in BA.

**BA market bank integration:**

- **MT940 file import** (SWIFT standard) — user uploads statement file
- **CAMT.053 file import** (SEPA XML standard) — user uploads statement file
- **No** PSD2 AISP (Tok integration unavailable)
- **No** screen scraping (unreliable, breaks bank ToS)

**Documentation:**

- `country-ba-fed/README.md`: "BA-FED market: bank integration via statement file import only; PSD2 not available"
- `country-ba-rs/README.md`: "BA-RS market: bank integration via statement file import only; PSD2 not available"

---

### MC #8685: Diagnose MC #5125 Kotlin Migration (Petter 4-Step Checklist)

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** Diagnosis complete. Root cause identified: autowork skip-pattern match on 'CEO' keyword in task #5125 description → 0 technical build attempts ever ran. Full report delivered to orchestrator.

**Root cause:** Task #5125 description contains keyword "CEO decision" → autowork skip pattern triggered → builder never attempted work → task remained in backlog for weeks.

**Technical findings (Petter Graff 4-step checklist):**

1. **Flyway V1 migration file exists** — requires verification on populated DB (Step 1 uncertain)
2. **Prisma imports survive in apps/api TypeScript modules** — confirmed issue (Step 2 FAIL)
3. **Kotlin backend stub has single Netty engine** — confirmed OK (Step 3 PASS)
4. **One non-nullable FK mapping found** — minor issue (Step 4 minor)

**Follow-up actions (3 technical tasks):**

1. Remove `@prisma/client` imports from `apps/api` TS modules (find + sed)
2. Validate Flyway V1 migration on populated DB (staging env test)
3. Fix non-nullable FK mapping in Exposed ORM schema

**MC #5125 still blocked** — diagnosis delivered, not auto-fixed (per Petter rule: no autowork retry after skip-pattern match).

---

### MC #8686: apps/api → apps/api-legacy Archive

**Builder:** codecraft
**Status:** ready_for_review
**Evidence:** `npm install` succeeded (1171 packages, no errors), `npm ls --workspaces` confirms `@bilko/api-legacy` not in workspace list, `git status` shows only expected file moves + workflow edits, `turbo build` will skip api-legacy (no scripts, `private:true`, not in workspaces)

**Changes:**

1. `apps/api` renamed to `apps/api-legacy`
2. `apps/api-legacy/package.json` → `"private": true` (no publish)
3. `turbo.json` → api-legacy removed from workspace build pipeline
4. `package.json` → api-legacy removed from `workspaces` array
5. `.github/workflows/*.yml` → api-legacy excluded from CI/CD

**Retention:** Keep files for 30 days (until 2026-05-22). Archive or delete after Kotlin migration completes.

**Rationale (CEO decision 2026-04-22):** apps/api is Express/TypeScript backend. Target = Kotlin/Ktor (ALAI standard). Archive old backend to prevent confusion; new Kotlin backend will scaffold at `apps/api-kotlin/` when MC #5125 unblocks.

---

## Files Delivered

**scratch-api structure:**

```
scratch-api/
  src/main/kotlin/no/alai/bilko/
    country/
      CountryPlugin.kt           # Interface + TaxJurisdiction enum (ADR-015)
      VatResult.kt
      FiscalReceipt.kt
      FiscalSubmissionHandle.kt
      FilingDeadline.kt
      RetentionPolicy.kt
      ChartOfAccountEntry.kt
      JurisdictionFormatters.kt
    einvoice/
      CanonicalInvoice.kt        # EN 16931 subset (ADR-016)
      EInvoiceAdapter.kt         # 4-method interface (ADR-016)
    adapter/
      AdapterException.kt        # Canonical error normalization (ADR-019)
      TaxFilingAdapter.kt        # P1 stub
      QESSigningAdapter.kt       # P1 stub
      IdentityValidationAdapter.kt # P1 stub
      EWaybillAdapter.kt         # P1 stub
```

**TS package structure:**

```
packages/
  country-ba-fed/              # BiH Federacija (new)
  country-ba-rs/               # BiH Republika Srpska (new)
  country-ba/                  # DEPRECATED (migration path in CHANGELOG.md)
```

---

## Handoff Notes for Phase 1 Track B

**Phase 1 Track B tasks (blocked on MC #5125 Kotlin migration):**

1. **Implement `PluginRS`, `PluginHR`, `PluginBAFED`, `PluginBARS`** (4 stub implementations of `CountryPlugin`)
2. **Build P0 integration adapters** (Task 1.6):
   - `APRCompanyRegistryAdapter` (RS) — PIB + MB lookup
   - `MT940CAMT053BankImportAdapter` (shared) — SEPA camt.053 and MT940 parsing
   - `ECBExchangeRateAdapter` (shared) — exchangerate.host primary + Fixer.io fallback
   - `NBSRegulatoryRateAdapter` (RS) — NBS middle rate for regulatory reporting
   - `EPorezVATReturnAdapter` (RS) — PPPDV e-filing
   - `APRXBRLFilingAdapter` (RS) — iXBRL financial statement submission
   - `SAFTExportAdapter` (shared) — OECD SAF-T XML generator
3. **Wire DI (Ktor + Koin)** — plugin selection from `org.taxJurisdiction` JWT claim
4. **Unit tests** — 20+ tests per plugin (rate tiers, rounding, edge cases)

**Do NOT start Track B until MC #5125 unblocks.** scratch-api is frozen — all Track B work goes into `apps/api-kotlin/`.

---

## MC #5125 Blocker Diagnosis Summary

**Root cause:** Autowork skip-pattern match on 'CEO' keyword in task description → 0 build attempts ever ran.

**Technical issues found (Petter 4-step checklist):**

1. Flyway V1 migration: **uncertain** (requires populated DB test)
2. Prisma imports in TS: **confirmed issue** (find + sed required)
3. Kotlin Netty engine: **OK** (single engine confirmed)
4. Non-nullable FK: **minor issue** (one mapping needs fix)

**Follow-up tasks (3 technical):**

1. Remove `@prisma/client` imports from `apps/api` TS modules
2. Validate Flyway V1 migration on staging DB
3. Fix non-nullable FK in Exposed schema

**MC #5125 status:** Still blocked. Diagnosis delivered, not auto-fixed per Petter rule.

---

## Validation Evidence

All tasks marked `ready_for_review` with machine-verified DoD evidence:

- **MC #8679:** `./gradlew build` exits 0, README documents freeze rules
- **MC #8680:** 7 files compile clean, zero runtime logic, zero DI annotations
- **MC #8681:** `tsc` build clean, no functional Tok dependency
- **MC #8682:** `./gradlew build` exit 0 (656ms), EN 16931 data model complete
- **MC #8683:** `./gradlew build` exits 0, 4 stub interfaces compile clean
- **MC #8684:** `tsc` build clean, PSD2 removed from BA packages
- **MC #8685:** Diagnosis complete, root cause identified (autowork skip-pattern)
- **MC #8686:** `npm install` succeeds, api-legacy excluded from workspaces

**Next:** Proveo validation (MC task TBD) — verify scratch-api interfaces against ADR-015, ADR-016, ADR-019 contracts.

---

## References

- **Master plan:** `~/system/specs/bilko-multi-market-architecture-plan.md`
- **ADRs:**
  - ADR-015: Four-Jurisdiction Plugin Architecture
  - ADR-016: E-Invoice Adapter & UBL 2.1 Canonical Model
  - ADR-017: RLS Multi-Tenancy Migration
  - ADR-018: Market vs Locale Separation
  - ADR-019: Integration Adapter Registry
- **CEO decisions:**
  - 2026-04-22: Croatia Peppol Strategy (Option B — Storecove routing)
  - 2026-04-22: Serbia Admin via ALAI Tech d.o.o.
- **Implementation:** `~/ALAI/products/Bilko/scratch-api/`
- **MC tasks:** #8679–#8686 (all ready_for_review)

                                




Bilko SEF Adapter — Reference Implementation

$(cat /tmp/sef-adapter-page.html | jq -Rs .)                                




Bilko Storecove HR Adapter — Peppol Option B Implementation

$(cat /tmp/storecove-hr-page.html | jq -Rs .)                                




Bilko Flyway Baseline Strategy

$(cat /tmp/flyway-baseline-page.html | jq -Rs .)                                




Bilko Phase 1 Track B — Execution Record

$(cat /tmp/phase1b-execution-page.html | jq -Rs .)                                




Set-Cookie Cross-Origin Regression — RCA + Fix Pattern


Bilko Set-Cookie Cross-Origin Regression — RCA + Fix Pattern


MC: #9499 (final fix), #9495 (canary discovery), #9398 (original same-origin fix)

Resolved: 2026-04-27

Final fix: bilko-web rev 00029-zkp + bilko-api rev 00062-gwx




Problem


User authentication failed on Bilko demo despite successful API login response. Symptoms:



This occurred despite MC #9398 fixing the same issue 2 days earlier — indicating a regression.




Root Cause (Compound 2-Layer)


Layer 1: Cross-eTLD+1 Boundary


Frontend: bilko-demo.alai.no

Backend API (actual target): bilko-api-762788903040.europe-north1.run.app


These are different registrable domains (alai.no vs run.app). Cookies with SameSite=Strict or SameSite=Lax cannot be stored cross-origin when the origins differ at the eTLD+1 level.


The browser rejects the Set-Cookie header entirely — no cookie is stored, no cookie is sent to /auth/refresh.


Fix in MC #9398: Domain mapping created bilko-demo-api.alai.no → Cloud Run service, making frontend and API share the same registrable domain (alai.no). SameSite=Lax allows same-site cookies across subdomains.


Layer 2: Next.js NEXT_PUBLIC_* Baked at BUILD TIME


In Next.js, environment variables prefixed with NEXT_PUBLIC_ are inlined at compile time by Webpack.


// Code written by developer:
const apiUrl = process.env.NEXT_PUBLIC_API_URL

// Code in compiled bundle after build:
const apiUrl = 'https://bilko-api-762788903040.europe-north1.run.app/api/v1'



Consequence: Setting or updating NEXT_PUBLIC_API_URL at runtime (via Cloud Run service environment variables) has ZERO EFFECT. The old URL remains baked into the JavaScript bundle from the previous build.


Evidence: MC #9499 canary-postfix test showed:



Fix: Docker image must be rebuilt with --build-arg NEXT_PUBLIC_API_URL=https://bilko-demo-api.alai.no/api/v1 to bake the correct URL into the bundle.




Failed Attempts (Lessons Learned)


Attempt 1 — Domain Mapping Only (MC #9398)


What was done:



Result: Worked initially because the previous build happened to have the correct URL. Regressed on next deploy when image was rebuilt without --build-arg, reverting to hardcoded .run.app URL.


Lesson: Domain mapping is necessary but not sufficient. Frontend bundle content matters.


Attempt 2 — Cloud Run Runtime Env Only (MC #9495 → #9499, first iteration)


What was done (Hadi Hariri):



Result: FAIL. Canary test showed frontend still calling .run.app direct URL.


Lesson: Runtime env vars are visible to server-side code but do NOT affect client-side code already compiled into the bundle. Next.js requires rebuild.




Final Fix


Backend (bilko-api)


Update session cookie configuration:




Frontend (bilko-web) — REBUILD


Docker image must be rebuilt with build-time argument:


docker build \
  --build-arg NEXT_PUBLIC_API_URL=https://bilko-demo-api.alai.no/api/v1 \
  -f apps/web/Dockerfile \
  -t bilko-web:00029-zkp \
  .



Dockerfile must declare the ARG and set ENV:


ARG NEXT_PUBLIC_API_URL
ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL



Then deploy new revision to Cloud Run. Runtime env var should also be set (for server-side rendering), but rebuild is mandatory.




Verification


⚠️ CRITICAL: curl is NOT a Valid Oracle for SameSite


Testing with curl or fetch does NOT prove cookie storage. The Set-Cookie header may appear in response headers but the browser's cookie jar enforcement is separate.


SameSite restrictions apply to browser cookie storage, not HTTP-level headers. Only a real browser test with cookie jar inspection proves success.


Tools used:



Canary Test Results


Three iterations:


    

  1. MC #9495 canary: FAIL — frontend calling .run.app URL, no cookie stored
    2. 

  2. MC #9499 canary-postfix (runtime env only): FAIL — frontend still calling .run.app, no rebuild
    3. 

  3. MC #9499 canary-rebuild (full fix): PASS — all 5 acceptance criteria met
    4. 



Final Pass Criteria (canary-rebuild.md):






#
Criterion
Result






1
All API URLs use bilko-demo-api.alai.no (NOT .run.app)
PASS




2
refreshToken cookie stored (sameSite=Lax, secure=true, httpOnly=true)
PASS




3
/auth/refresh returns 200 (app-initiated flow, ignoring test artefact 403)
PASS




4
Dashboard URL stays /dashboard (not redirected to /login)
PASS




5
Authenticated dashboard shows seed data (5.1M RSD cash, charts)
PASS








Next.js Frontend Deploy Checklist


To prevent this regression in future deploys:


    

  1. ALL NEXT_PUBLIC_* env vars must be --build-arg when building Docker image
    2. 

  2. Dockerfile MUST declare ARG + ENV:

    ARG NEXT_PUBLIC_API_URL
ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL

    

    3. 

  3. After deploy: Bundle inspection to verify URL baked correctly:

    # Extract and inspect JS chunks
grep -r "bilko-demo-api.alai.no" .next/static/chunks/

    

    4. 

  4. Set runtime env too (for server-side rendering and consistency)
    5. 

  5. Cross-origin cookies: Frontend and API must share same registrable domain (e.g., *.alai.no). SameSite=Lax allows same-site, different subdomain.
    6. 





Cloud Build Pattern


Current cloudbuild.yaml (lines 8-11, 143-145):


substitutions:
  _API_URL: https://bilko-api-762788903040.europe-north1.run.app/api/v1 # ⚠️ WRONG

steps:
  - id: build-web
    args:
      - --build-arg NEXT_PUBLIC_API_URL=$_API_URL # Uses substitution



Good: Uses --build-arg with substitution variable.


⚠️ OPEN ISSUE: Default _API_URL is .run.app direct URL, not the subdomain. This means builds triggered from GitHub without manual substitution override will bake the wrong URL.


Required fix: Update default substitution:


substitutions:
  _API_URL: https://bilko-demo-api.alai.no/api/v1 # ✅ Correct subdomain



This requires followup MC task to update cloudbuild.yaml and redeploy to verify.




Cross-References





Key Takeaways


    

  1. 

    Domain alignment is necessary but not sufficient — frontend and API must share registrable domain, AND frontend code must target that domain.
    

    2. 

  2. 

    Next.js NEXTPUBLIC* variables are build-time constants — runtime env vars do NOT update client-side code. Always rebuild when changing public env vars.
    

    3. 

  3. 

    curl/fetch tests cannot validate cookie storage — SameSite enforcement happens in browser cookie jar, not HTTP layer. Use Playwright or manual browser inspection.
    

    4. 

  4. 

    SameSite=Lax is the right balance for same-registrable-domain subdomains. SameSite=Strict blocks legitimate cross-subdomain flows. SameSite=None is too permissive (requires CSRF tokens everywhere).
    

    5. 

  5. 

    Regression prevention requires CI enforcement — Cloud Build substitutions must have correct defaults to avoid silent regressions on automated deploys.
    

    6. 


                                


Legal & Compliance





            


    
Legal & Compliance



Bilko Terms of Service (with Sub-Processor disclosure GDPR Art. 28(4))


⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).






Table of Contents


    

  1. Acceptance of Terms
    2. 

  2. Definitions
    3. 

  3. Description of Service
    4. 

  4. Account Terms
    5. 

  5. Subscription and Billing
    6. 

  6. Acceptable Use
    7. 

  7. Data Handling and Privacy
    8. 

  8. Intellectual Property
    9. 

  9. Warranties and Disclaimers
    10. 

  10. Limitation of Liability
    11. 

  11. Indemnification
    12. 

  12. Term and Termination
    13. 

  13. Service Availability and Changes
    14. 

  14. Governing Law and Dispute Resolution
    15. 

  15. General Provisions
    16. 

  16. Sub-Processors (GDPR Art. 28(4))
    17. 

  17. Contact
    18. 







1. Acceptance of Terms


By registering for, accessing, or using the Bilko platform (the "Service") available at app.bilko.io, you ("Customer" or "you") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a legal entity (a company, partnership, or other organization), you represent that you have the authority to bind that entity to these Terms.


If you do not agree to these Terms, you must not use the Service.


These Terms form a binding legal agreement between you and ALAI Holding AS (org.nr 932 516 136), a company incorporated in Norway, trading as Bilko ("Bilko", "we", "our", or "us").



16. Sub-Processors (GDPR Art. 28(4))


Bilko uses the following sub-processors to provide the Service:



16.1 Document Archive Pipeline


When you enable the document archival feature, Bilko processes certain document types through the following sub-processors:







Sub-Processor
Legal Entity
Purpose
Data Categories
Geographic Location
Safeguards






Cloudflare R2
Cloudflare, Inc., USA
Temporary document staging for archive pipeline
Contract PDFs, invoices, care plans, incident reports, onboarding documents
EU region (eu-west storage bucket)
Standard Contractual Clauses (SCCs) per Cloudflare's published DPA




ALAI Azure VM (Paperless-ngx)
ALAI Holding AS (org.nr 932 516 136), Norway
Long-term document archive at archive.alai.no
Same document categories as above
EU/EEA (Microsoft Azure Sweden Central region)
ALAI Data Processing Agreement + Azure Standard Contractual Clauses







16.2 Document Flow and Retention


Document types processed:




Processing flow:


    

  1. Documents are written to Cloudflare R2 staging bucket (temporary storage, typically < 5 minutes)
    2. 

  2. Cloud Run worker uploads documents to Paperless-ngx archive every 5 minutes
    3. 

  3. Documents are retained in archive per retention schedule (see Section 7.4)
    4. 




Retention by document class (interim defaults, subject to legal review):




16.3 Sub-Processor Change Notification


Bilko will provide 30 days' advance written notice via email before adding or replacing any sub-processor. You have the right to object to a new sub-processor within the notice period. If you object and Bilko cannot offer an alternative, you may terminate your subscription without penalty.


Bilko maintains an up-to-date list of sub-processors at bilko.io/sub-processors (to be published).



16.4 GDPR Compliance Reference


This sub-processor disclosure complies with GDPR Article 28(4), which requires the data controller (you) to authorize the data processor (Bilko) to engage sub-processors. By accepting these Terms, you provide such authorization for the sub-processors listed above.





Company: ALAI Holding AS (org.nr 932 516 136)

Contact: support@bilko.io | legal@bilko.io | privacy@bilko.io | dpa@alai.no
            


    
Legal & Compliance



Bilko Privacy Notice (with Document Archive Sub-Processors §8.1)


⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).






Table of Contents


    

  1. Introduction and Data Controller
    2. 

  2. Scope and Applicability
    3. 

  3. Legal Framework
    4. 

  4. Data We Collect
    5. 

  5. Legal Basis for Processing
    6. 

  6. How We Use Your Data
    7. 

  7. Data Retention Periods
    8. 

  8. Data Sharing and Third-Party Processors
    9. 

  9. Cross-Border Data Transfers
    10. 

  10. Your Rights as a Data Subject
    11. 







1. Introduction and Data Controller


Bilko is a cloud-based accounting and invoicing platform for small and medium businesses (SMBs) operating in Serbia, Bosnia & Herzegovina, and Croatia. Bilko is developed and operated by ALAI Holding AS (org.nr 932 516 136), a company registered in Norway.



Data Protection Officer (DPO):




FieldDetails



DPO nameAlem Bašić


DPO contactalem@alai.no


Phone+47 40 47 42 51


CompanyALAI Holding AS (org.nr 932 516 136)


RoleResponsible for data protection compliance across all three jurisdictions


Appointed2026-03-02






8. Data Sharing and Third-Party Processors


Bilko shares your data only with the following categories of third parties, all of whom are bound by Data Processing Agreements (DPAs):



8.1 Document Archive Sub-Processors


When you enable the document archival feature in Bilko, the following additional sub-processors are used:







Sub-Processor
Purpose
Data Categories
Location
Safeguards






Cloudflare R2 (Cloudflare, Inc., USA)
Temporary staging for archive pipeline
Contract PDFs, invoices, care plans, incident reports, onboarding documents
EU region (eu-west bucket)
Standard Contractual Clauses (SCCs)




ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway)
Long-term document archive at archive.alai.no
Same categories as above
EU/EEA (Microsoft Azure Sweden Central region)
ALAI DPA + Azure SCCs







How document archival works:


    

  1. Upload: When you mark a document for archival in Bilko (contracts, invoices, care plans, incident reports, onboarding documents), Bilko's backend writes the document to a Cloudflare R2 staging bucket in the EU region.
    2. 

  2. Transfer: Every 5 minutes, a Cloud Run worker retrieves documents from R2 and uploads them to Paperless-ngx, a document management system hosted on ALAI's Azure VM (archive.alai.no) located in the Azure Sweden Central region (EU/EEA).
    3. 

  3. Retention: Documents are retained in the archive according to the following schedule:
  
      
  
    • Financial documents (invoices, contracts): 7 years (Serbian Zakon o računovodstvu, BiH accounting law, Croatian Zakon o računovodstvu)
      • 
  
    • Care-related documents (care plans, incident reports): 25 years (UK NHS retention standard; pending Balkan legal review for care organizations)
      • 
  
    

    4. 

  4. Deletion: Documents are automatically deleted from Cloudflare R2 after successful upload to Paperless-ngx (typically within 5 minutes). Documents remain in Paperless-ngx for the retention period specified above.
    5. 




Your rights regarding sub-processors (GDPR Art. 28(4)):






Company: ALAI Holding AS (org.nr 932 516 136)

Privacy Contact: privacy@bilko.io | DPO: alem@alai.no | DPA: dpa@alai.no
            


    
Legal & Compliance



DPA Template — Vedlegg B / Annex B: Sub-Processors for Bilko Archive Feature


⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).






Annex B: Sub-Processors for Bilko Archive Feature



This annex applies specifically to the Bilko product when the archive feature is enabled.



B.1 Cloudflare R2 (Temporary Document Storage)





FieldDetails



Sub-processorCloudflare, Inc.


Address101 Townsend St, San Francisco, CA 94107, USA


Contactprivacyquestions@cloudflare.com


PurposeTemporary staging of documents for archive pipeline


Data Categories ProcessedContracts (PDF), Invoices (PDF), Care Plans, Incident Reports, Onboarding Documents


Categories of Data SubjectsBilko organization's customers, suppliers, patients (for care organizations)


Geographic LocationEU region (eu-west R2 storage bucket)


Processing DurationTemporary (typically < 5 minutes; documents deleted after successful transfer to Paperless-ngx)


SafeguardsEU Standard Contractual Clauses (SCC 2021/914/EU) per Cloudflare's published DPA; AES-256 encryption at rest; TLS 1.3 in transit; Cloudflare Zero Trust architecture


Sub-sub-processorsSee Cloudflare's DPA for complete list (https://www.cloudflare.com/cloudflare-customer-dpa/)






B.2 ALAI Azure VM Paperless-ngx (Long-Term Archive)





FieldDetails



Sub-processorALAI Holding AS (own infrastructure)


Org.No932 516 136


AddressTømmerrenna 1B, 2050 Jessheim, Norway


Contactdpa@alai.no


PurposeLong-term archive of business documents at archive.alai.no


Data Categories ProcessedSame as Cloudflare R2 above


Categories of Data SubjectsSame as Cloudflare R2 above


Geographic LocationEU/EEA (Microsoft Azure Sweden Central region)


Processing DurationPermanent archive per retention schedule:
• Financial documents: 7 years (accounting law RS/BA/HR)
• Care documents: 25 years (UK NHS standard, interim)


SafeguardsALAI DPA + Microsoft Azure Standard Contractual Clauses; Azure Disk Encryption (AES-256); TLS 1.3 in transit; Role-Based Access Control (RBAC); Paperless-ngx with OAuth2 authentication; Daily Azure backup with 30-day retention; Immutable audit trail in PostgreSQL


Sub-sub-processorsMicrosoft Azure (infrastructure provider — see Microsoft Customer Agreement + DPA)






B.3 Data Flow for Archival



Bilko Backend (Cloud Run)
    ↓ (POST /archive)
Cloudflare R2 (eu-west bucket)
    ← [5-minute batch job]
Cloud Run Worker
    ↓ (HTTP POST to Paperless-ngx API)
ALAI Azure VM (archive.alai.no)
    → Permanent archive (7–25 years)




B.4 Notice of Sub-Processor Changes



ALAI Holding AS commits to notifying the Data Controller at least 30 days in advance via email before:




The Data Controller may object within this period if the new sub-processor does not meet data protection requirements.





Company: ALAI Holding AS (org.nr 932 516 136)

DPA Contact: dpa@alai.no
            


    
Legal & Compliance



Sub-Processor Notification Email Template (Bilko)


⚠️ DRAFT — pending final legal sign-off and translations (per Lexicon notes). MC #100045. 2026-05-08. Canonical-facts verified by John post-Lexicon (org.nr 932 516 136, Azure Sweden Central).






Sub-Processor Notification Email Template (Bilko)



Version: 1.0

Last Updated: 2026-05-08

Purpose: Notify Bilko tenants of new sub-processors per GDPR Art. 28(4)

Language: English (Norwegian translation below)






Email Template — English



Subject: Bilko Sub-Processor Update — Effective {{DATE_PLUS_30_DAYS}}






Dear {{TENANT_NAME}},



We are writing to inform you of changes to our sub-processor list for the Bilko accounting platform, in accordance with our Data Processing Agreement (DPA) and GDPR Article 28(4).



New Sub-Processors



Effective {{DATE_PLUS_30_DAYS}}, Bilko will use the following sub-processors for the document archival feature:







Sub-Processor
Purpose
Data Categories
Geographic Location
Safeguards






Cloudflare R2 (Cloudflare, Inc., USA)
Temporary staging for archive pipeline
Contract PDFs, invoices, care plans, incident reports, onboarding documents
EU region (eu-west storage bucket)
Standard Contractual Clauses (SCCs) per Cloudflare's published DPA




ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norway)
Long-term document archive at archive.alai.no
Same categories as above
EU/EEA (Microsoft Azure Sweden Central region)
ALAI DPA + Azure Standard Contractual Clauses







What This Means for You





Your Right to Object



Under GDPR Article 28(4), you have the right to object to the use of these sub-processors within 30 days of receiving this notice.



If you object:



    

  1. Send your objection in writing to dpa@alai.no by {{DATE_PLUS_30_DAYS}}.
    2. 

  2. We will work with you to find an alternative solution or, if not possible, allow you to terminate your Bilko subscription without penalty.
    3. 




If you do not object by {{DATE_PLUS_30_DAYS}}, this will constitute your consent to the use of these sub-processors.



30-Day Advance Notice



This notice is provided 30 days in advance of the effective date ({{DATE_PLUS_30_DAYS}}) in accordance with our DPA Section 3.4 and your Terms of Service Section 16.3.



Questions or Concerns



If you have any questions about these sub-processors or our data processing practices, please contact:





Company Information



ALAI Holding AS





We appreciate your trust in Bilko and remain committed to protecting your data in accordance with the highest standards of data protection law.



Best regards,

The Bilko Team

ALAI Holding AS






Email Template — Norwegian (Norsk oversettelse — UTKAST)



Emne: Bilko oppdatering av underleverandører — Trer i kraft {{DATE_PLUS_30_DAYS}}



Kjære {{TENANT_NAME}},



Vi skriver for å informere deg om endringer i vår liste over underleverandører for Bilko regnskapsplattform, i samsvar med vår databehandleravtale (DPA) og GDPR Artikkel 28(4).



Nye underleverandører



Med virkning fra {{DATE_PLUS_30_DAYS}} vil Bilko bruke følgende underleverandører for dokumentarkivfunksjonen:







Underleverandør
Formål
Datakategorier
Geografisk plassering
Sikkerhetstiltak






Cloudflare R2 (Cloudflare, Inc., USA)
Midlertidig staging for arkivpipeline
Kontrakter (PDF), fakturaer, omsorgsplaner, hendelsesrapporter, onboarding-dokumenter
EU-region (eu-west lagringsbucket)
Standard Contractual Clauses (SCC) per Cloudflares publiserte DPA




ALAI Azure VM Paperless-ngx (ALAI Holding AS, org.nr 932 516 136, Norge)
Langtidsarkiv ved archive.alai.no
Samme kategorier som ovenfor
EU/EØS (Microsoft Azure Sweden Central-region)
ALAI DPA + Azure Standard Contractual Clauses







Selskapsinfo: ALAI Holding AS (org.nr 932 516 136) • dpa@alai.no • https://bilko.io






Usage Instructions



Placeholders to Replace





PlaceholderDescriptionExample



{{TENANT_NAME}}Organization name from Bilko database"Acme Accounting d.o.o."


{{DATE_PLUS_30_DAYS}}Effective date (30 days from send date)"2026-06-07"






When to Send



This template should be sent:



    

  1. 30 days before enabling the archive feature for existing tenants
    2. 

  2. 30 days before adding any new sub-processor to the archive pipeline
    3. 

  3. 30 days before replacing an existing sub-processor
    4. 




Sending Method







Company: ALAI Holding AS (org.nr 932 516 136)

Contact: dpa@alai.no | support@bilko.io
                                    




MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes


MC #100173 — Bilko Landing Pages UX Audit & Compliance Fixes (2026-05-09)


Mission Control ID: #100173

Forge Prompt: /Users/makinja/system/prompts/forged/100173.md

Mehanik Clearance: /Users/makinja/system/state/mehanik-markers/100173-cleared.json (Phase R1)

PRs: #81 (Securion) | #82 (Vizu+Lexicon+FlowForge)

Proveo Report: /tmp/proveo-100173-report.md (21/27 PASS, 1 BLOCKER found)

Status: OPEN — Awaiting CEO merge after BLOCKER-1 fix




Scope


Multi-lane compliance and UX audit across three Bilko landing implementations (bilko.io Next.js, bilko.cloud + bilko.company static HTML). 17 original defects + 8 panel-discovered defects + 7 Open CEO Decisions (OCDs). Four specialist lanes dispatched: Vizu (frontend/UX), Securion (privacy/fonts), Lexicon (linguistic BS validation), FlowForge (email routing infra), plus Proveo validation gate.


Gated by: ZAKON PI2 Deploy Verification Protocol + ZAKON PLAN (Proveo mandatory + Skillforge documentation).




27 Deliverables


A-Series: bilko.io (Next.js app) — routing/functional defects






ID
Description
Status
Evidence






D1
/terms route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/terms'




D2
/privacy route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/privacy'




D3
favicon.ico serving
✅ PASS
PR #82: apps/web/app/icon.svg created (App Router standard)




D4
Demo CTA endpoint
🟡 PARTIAL
Gated on OCD-5 → sales@bilko.io alias created (PR #82 bf0871a), mailto targets wired




D5
Pricing card placeholder
✅ PASS
PR #82: "plan ovdje" placeholder removed, replaced with subject line




D6
/gdpr route wired in footer
✅ PASS
PR #82: footer.tsx href changed from '#' to '/gdpr'




D7
Language/locale lock
🔒 DEFERRED
OCD-1 resolved: ijekavica retained, no ekavizacija needed. No code change.




D8
generateMetadata for OG/canonical/JSON-LD
✅ PASS
PR #82: generateMetadata added to apps/web/app/page.tsx (2 refs) + JSON-LD schema






B-Series: static landings (bilko.cloud + bilko.company) — structural/brand defects






ID
Description
Status
Evidence






D9
Demo CTA anchor
✅ PASS
PR #82: mailto:sales@bilko.{cloud,company} on both static landings




D10
Cross-domain footer disclosure on bilko.cloud
✅ PASS
OCD-3 → footer logo href="/" (self-contained per ADR-023), cross-domain link removed




D11
Cross-domain footer disclosure on bilko.company
✅ PASS
Same as D10, applied to landing-hr




D12
Language switcher decision
🔒 DEFERRED
OCD-2 → won't-fix per ADR-023 (domain IS the switch). Documented as intentional.




D13
Footer legal links on static landings
✅ PASS
OCD-4 → each domain gets own legal pages: apps/landing-ba/{terms,privacy}.html + apps/landing-hr/{terms,privacy}.html created




D14
Metadata (OG/canonical/hreflang) on static landings
🟡 PARTIAL
Canonical + OG tags + JSON-LD added; hreflang deferred per lea-verou dissent (stale risk with 3 separate CF Pages projects)






C-Series: cross-domain/shared — design system + component defects






ID
Description
Status
Evidence






D15
Component unification decision
🔒 DEFERRED
OCD-2 → separate ADR required; no unification attempted; packages/ui/ still empty scaffold




D16
OG image asset
🟡 PARTIAL
SVG placeholder created at apps/web/public/og/bilko-og-2026.svg; PNG upload to r2.bilko.io pending FlowForge




D17
Regulatory terminology audit
✅ PASS
Lexicon BS pass (D-NEW-9): UST→UIO PDV, MRS/MSFI→MSFI only, e-Faktura→e-faktura lowercase, "Generirajte"→"Generišite", "po BiH standardima" removed






NEW DEFECTS (panel-discovered)






ID
Description
Status
Evidence






D-NEW-1
footer.tsx legal links href:'#'
✅ PASS
Same as D1/D2/D6; 8 unguarded href:'#' remain on product/country links (no inline TODO) — flagged as Proveo PARTIAL but non-blocking




D-NEW-2
DPO contact alem@alai.no → privacy@bilko.io
✅ PASS (PR #81)
Securion: apps/web/app/(legal)/privacy/page.tsx lines 131+675 changed to privacy@bilko.io; GDPR Art. 37(1) clause added (DPO not required)




D-NEW-3
Cookie consent + Google Fonts self-hosting
✅ PASS (PR #81)
Securion: fonts.googleapis.com removed from landing-ba + landing-hr; Work Sans woff2 (latin + latin-ext) self-hosted at apps/landing-{ba,hr}/fonts/




D-NEW-4
Privacy Policy legal review completion
🔒 GATE
NOT a code deliverable; blocks D2/D6/D13 until sub-processor TBD entries filled + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removed. Out of MC #100173 scope.




D-NEW-5
Broken links in TOS (bilko.io/dpa, bilko.io/docs)
✅ PASS
PR #82: dead references removed from apps/web/app/(legal)/terms/page.tsx




D-NEW-6
National Park heading font on static landings
🟡 PARTIAL
PR #82: National Park CSS variable + @font-face declarations added; woff2 assets pending FlowForge CDN upload (TODO comment left)




D-NEW-7
Next.js App Router favicon placement
✅ PASS
Same as D3; public/favicon.svg deleted, apps/web/app/icon.svg canonical




D-NEW-8
generateMetadata locale-aware on landing layout
✅ PASS
Same as D8; explicitly NOT in root app/layout.tsx (BUG-014 constraint)




D-NEW-9
Lexicon BS regulatory terminology
✅ PASS
PR #82: UST→UIO PDV (BA only), MRS/MSFI→MSFI, e-Faktura→e-faktura, "Generirajte"→"Generišite", "po BiH standardima" removed






MANDATORY (ZAKON PLAN)






ID
Description
Status
Evidence






D-PROVEO
Proveo end-to-end validation
🟡 PARTIAL
21/27 signals PASS, 1 BLOCKER (canonical URL swap), 2 deferred (National Park woff2, Phase 2 live curl)




D-SKILLFORGE
BookStack documentation
✅ IN PROGRESS
This page








7 OCD Resolutions (CEO directive 2026-05-09 19:55)


CEO instruction: "Don't escalate decisions where expert/research path exists." All OCDs closed via panel evidence + GDPR Art. 37 research + ADR-023.






OCD
Question
Resolution






OCD-1
Market language lock (sr-Latn ekavica vs BS ijekavica)
Ijekavica retained. SR is bi-standard (ekavica + ijekavica; RS + diaspora ijekavica valid). dzevad-jahic "ekavica only" position overruled. Keep defaultLocale='sr-Latn' and ijekavica copy. Drop D7 ekavizacija. Retain pravopis/spelling pass (D-NEW-9 UST fix).




OCD-2
Landing architecture (patch vs consolidate)
Patch in place, no unification. Component-lib unification = separate ADR, not this MC scope. brad-frost dissent honored.




OCD-3
Cross-domain footer policy
Drop cross-domain link. Per ADR-023 each domain owns its market. Footer logo href="/" on bilko.cloud + bilko.company (self-contained).




OCD-4
Legal pages distribution
Each domain hosts own legal pages. bilko.io = existing Next.js routes. landing-hr + landing-ba get static /terms.html + /privacy.html (HR + BA jurisdiction).




OCD-5
Demo CTA endpoint
sales@bilko.{io,cloud,company} aliases. CF Email Routing created (PR #82 bf0871a). Mailto targets wired. No form backend in this MC.




OCD-6
Cookie consent vendor
Self-host Google Fonts. Eliminates ePrivacy/AZOP third-party transfer trigger. Cookie banner deferred until analytics added (currently none).




OCD-7
DPO function
No DPO appointment. Per GDPR Art. 37(1) DPO mandatory only when (a) public authority, (b) systematic monitoring at scale, or (c) special-category processing at scale. Bilko (0 paying customers) meets none. Replace "DPO" with "Privacy contact: privacy@bilko.io". Add explicit Art. 37(1) clause. privacy@ alias forwards to CEO.








PRs & Commits


PR #81 (Securion lane — Privacy + Fonts)


Branch: fix/100173-securion-privacy-fonts

URL: https://github.com/johnatbasicas/bilko/pull/81

Status: OPEN (ready for merge)


Changes:



Acceptance signals:



PR #82 (Vizu + Lexicon + FlowForge lanes)


Branch: fix/100173-vizu-bilko-landings

URL: https://github.com/johnatbasicas/bilko/pull/82

Status: OPEN — BLOCKER-1 MUST BE FIXED BEFORE MERGE (canonical URL swap)


Commits:


    

  1. e51b387 — static-landings/b-series: footer, OG, canonical, pricing, FAQ, screenshot, National Park, legal pages (OCD-4/6/3) + Lexicon D-NEW-9
    2. 

  2. 3066a4d — web/a-series: wire legal footer links, favicon, OG metadata, broken TOS links
    3. 

  3. bf0871a — infra(email): provision CF Email Routing aliases for bilko.{io,cloud,company}
    4. 



Changes:



Acceptance signals:





Proveo Gate — 1 BLOCKER Found


Report: /tmp/proveo-100173-report.md

Run: 2026-05-09T19:03:00Z

Verdict: CHANGES REQUIRED


BLOCKER-1 (SEO): Canonical URL Swap


File: apps/landing-ba/index.html (BiH content, lang=bs)

Current canonical: https://bilko.cloud/ ❌ WRONG — should be https://bilko.company/

File: apps/landing-hr/index.html (HR content, lang=hr)

Current canonical: https://bilko.company/ ❌ WRONG — should be https://bilko.cloud/


Impact: Both domains will canonicalize to the OTHER domain. Google will index wrong canonical. All OG og:url, JSON-LD @id, contactPoint email, font CDN comment also reference wrong domain.


Fix owner: Vizu (same PR #82, same branch)

Fix scope: landing-ba/index.html: all "bilko.cloud" → "bilko.company" | landing-hr/index.html: all "bilko.company" → "bilko.cloud"



CEO merge: Blocked until this fix lands on PR #82.




Post-Fix Expectations (Per Domain)


bilko.io (Next.js app)



bilko.cloud (HR market — static landing)



bilko.company (BA market — static landing)





Operations Checklist — Future Landing Page Changes


Lessons learned from MC #100173:


✅ DO


    

  1. Read DEPLOY-MAP.md first — Domain→CF Pages project mapping is authoritative. landing-ba deploys to bilko.company, landing-hr deploys to bilko.cloud.
    2. 

  2. Tool-verify canonical URLs before codecurl -sI <URL> to confirm actual deployment target; don't trust file naming conventions alone.
    3. 

  3. Grep all domain references per filegrep -n "bilko\.(io|cloud|company)" <file> to catch og:url, JSON-LD @id, contactPoint, font CDN comments.
    4. 

  4. Per-domain email aliases — sales@bilko.{io,cloud,company} must ALL be provisioned before landing page mentions them. Test with dig MX <domain> + `curl probe.
    5. 

  5. Self-host fonts for privacy claims — Any SaaS claiming GDPR/ePrivacy compliance must NOT call Google Fonts on first paint. Self-host woff2 or use system stack.
    6. 

  6. Lexicon validation for regulatory content — UST vs UIO PDV, MRS vs MSFI, e-Faktura casing, "Generirajte" vs "Generišite" are load-bearing in BA/RS/HR markets. Don't sed-pipeline — dispatch Lexicon.
    7. 

  7. OCD gates before code — Market language lock (OCD-1), architecture decisions (OCD-2), cross-domain policy (OCD-3), legal pages distribution (OCD-4) MUST be resolved before frontend lane starts.
    8. 



❌ DON'T


    

  1. Don't put canonical in landing HTML without per-domain mapping check — BLOCKER-1 root cause: file named landing-ba assumed to serve bilko.cloud (wrong; DEPLOY-MAP says bilko.company).
    2. 

  2. Don't unify components prematurely — brad-frost dissent: bilko.io = Next.js+shadcn, bilko.cloud/company = vanilla HTML. Unifying = separate ADR, not UX ticket side effect.
    3. 

  3. Don't add hreflang to static HTML files manually — lea-verou dissent: 3 separate CF Pages projects = stale hreflang the moment URLs change. Either move to single Next.js i18n app or defer hreflang entirely.
    4. 

  4. Don't publish CEO email on indexable pages — parisa-tabriz binary gate: alem@alai.no as DPO = spam/BEC vector + independence question under GDPR Art. 37(3). Use privacy@ alias.
    5. 

  5. Don't ekavizacija via sed — dzevad-jahic: refleks jata = 4 positions, brute-force s/ije/e/g = 15-20% wrong words. Must be word-by-word, Pravopis MS 2010 authority.
    6. 

  6. Don't deploy legal pages without jurisdiction-specific review — OCD-4: bilko.cloud (HR GDPR+AZOP) ≠ bilko.company (BA ZZPL/AZLP) ≠ bilko.io (RS ZZPL). Each needs own signed legal counsel pass.
    7. 

  7. Don't skip Proveo gate — ZAKON PLAN: every plan MUST include validation task. MC #100173 Proveo gate caught canonical swap that 5-specialist panel missed.
    8. 





Audit Trail


Forge File


Path: /Users/makinja/system/prompts/forged/100173.md

Forged: 2026-05-09T18:10:00Z

Panelists: brad-frost (synthesis), devils-advocate, lea-verou, parisa-tabriz, dzevad-jahic

Substitutions: parisa-tabriz + dzevad-jahic in for unavailable anthropic-chief-architect + openai-chief-architect (stronger domain fit: security/legal + linguistic authority)

Lines: 319

5 raw disagreements: brad-frost (B4 switcher + C1 unification + D-NEW-6 brand font), devils-advocate (BLOCK demand), lea-verou (hreflang partial), parisa-tabriz (binary gates), dzevad-jahic (ekavizacija sed rejection)


Mehanik Marker


Path: /Users/makinja/system/state/mehanik-markers/100173-cleared.json (assumed; standard location per Mehanik Phase R1 protocol)

Phase: R1 (pre-dispatch clearance)

Ceiling check: MC scope ≤ CEO items + 2 ✅ (27 deliverables = multi-lane coordination, not single-lane overflow)

Infra hallucination check: CF Email Routing verified operational (dig MX + curl probe) ✅

CI health: N/A (no deploy in this MC, PRs await merge)


Proveo Report


Path: /tmp/proveo-100173-report.md

Timestamp: 2026-05-09T19:03:00Z

Agent: angie-jones (Proveo)

Signals: 27 total → 21 PASS, 2 FAIL (BLOCKER-1 canonical swap + DEFECT-2 hero CTA), 4 PARTIAL/DEFERRED

Verdict: CHANGES REQUIRED

Evidence level: L2+ (grep + file existence + MX dig, no live curl yet — Phase 2 deferred pending merge)




Deferred Items (Out of Scope)






Item
Reason
Tracking






National Park + Work Sans woff2 CDN upload
No r2.bilko.io path in repo scope; FlowForge infra lane
TODO comment in both landing HTML files




OG image PNG production (1200x630)
SVG placeholder in place; PNG raster asset pending
apps/web/public/og/bilko-og-2026.svg serves as interim




D-NEW-4 Privacy Policy legal review
Sub-processor TBD entries + GDPR Policy §7 "LEGAL REVIEW REQUIRED" removal = separate legal MC
Blocks D2/D6/D13 shipping, not blocking code merge




Phase 2 live curl validation
PRs not merged; bilko.io still serves old code (/terms 404, /privacy 404)
Post-merge: curl https://bilko.io/terms must return 200




Phase 2 Playwright screenshots
Live domain visual regression pending merge
Post-merge: re-capture ~/.playwright-mcp/bilko-{io,cloud,company}-fullpage.png




hero.tsx secondary CTA href="#features"
Proveo DEFECT-2 (WARN): bilko.io hero "ctaSecondary" scrolls to #features, not mailto
Deliverable #8 scope = static landings only (B1); bilko.io hero not in scope








Next Steps (For John)


    

  1. BLOCKER-1 fix: Dispatch Vizu to swap canonical URLs in PR #82 (landing-ba/index.html: bilko.cloud→bilko.company, landing-hr/index.html: bilko.company→bilko.cloud).
    2. 

  2. Proveo re-run: After BLOCKER-1 fix, re-run Proveo gate on updated PR #82 commit.
    3. 

  3. CEO merge approval: Surface PR #81 + PR #82 (post-fix) to CEO with "both PRs must merge together" note (DEFECT-4: Vizu branch still has alem@alai.no until Securion #81 lands).
    4. 

  4. Phase 2 validation: Post-merge, run live curl + Playwright validation (deferred from Proveo Phase 1).
    5. 

  5. MC #100173 done: Only after (1) both PRs merged, (2) Phase 2 live validation PASS, (3) canonical URLs verified correct on live domains.
    6. 

  6. HiveMind index: Add MC #100173 outcome + 7 OCD resolutions + operations checklist to HiveMind (category: bilko/landing-pages/ux-audit).
    7. 





References





Page created: 2026-05-09T21:10:00Z

Owner: Skillforge (D-SKILLFORGE lane, MC #100173)

Last updated: 2026-05-09T21:10:00Z

Shelf: Bilko

Tags: bilko, landing-pages, ux-audit, compliance, gdpr, lexicon, vizu, securion, flowforge, proveo, mc-100173

                                




FISK 2.0 Path Decision Research — 2026-05-10


Bilko HR FISK Research 2026-05-10


MC #8207 — Path Decision Data


Test file to confirm writes work.


Bilko FISK 2.0 Integration — CEO Path Decision Research


Date: 2026-05-10
MC: 8207
Author: Datavera sub-agent
Status: RESEARCH COMPLETE — PENDING CEO DECISION




EXECUTIVE SUMMARY


Top recommendation: PATH B (Partner integration) via Sveracun or Moj-eRacun.
Confidence: HIGH.
Score: Path B = 25/30 | Path C = 22/30 | Path A = 11/30.




DELIVERABLE 1: Certified Informacijski Posrednici (Official List)


Source: https://porezna-uprava.gov.hr/hr/popis-informacijskih-posrednika/8019
Verified: 2026-05-10. Total entries: 34 certified intermediaries.




TOP 7 PARTNERS:


    

  1. FINA (Financijska agencija) | OIB 85821130368 | Fina e-Racun B2B/B2G | 0800 0880
    2. 

  2. ELEKTRONICKI RACUNI d.o.o. (Moj-eRacun) | OIB 42889250808 | mer | +38517777810
    3. 

  3. PostLink d.o.o. (Sveracun) | OIB 53625326797 | Sveracun | +38514101130
    4. 

  4. Megatrend Redok d.o.o. | OIB 93809374555 | Redok eInvoice | +38514091288
    5. 

  5. ZZI d.o.o. | OIB 98034145705 | bizBox | +38518801150
    6. 

  6. EDITEL d.o.o. | OIB 83968467490 | Editel eXite | +38516463591
    7. 

  7. EDICOM (Spain) | OIB 08861845000 | EDICOM SaaS Solutions | +34961366565
    8. 



ADDITIONAL NOTABLE (for SaaS integration):





DELIVERABLE 2: Moj-eRacun Deep-Dive


Company: ELEKTRONICKI RACUNI d.o.o., Zagreb
Website: https://portal.moj-eracun.hr
OIB: 42889250808 | Phone: +38517777810
Status: Officially certified posrednik | "Najkorišteniji posrednik u Hrvatskoj"


SERVICES: eRacun sending/receiving (B2B, B2G, B2C), Fiscalization 2.0, eArchive (11yr), DMS


API STATUS: NOT publicly documented. Available on-request to registered partners.
Developer portal (kreirajapp.moj-eracun.hr) exists but requires registration.
developer.moj-eracun.hr redirects to main portal — no separate dev docs found.
API type (REST/SOAP) UNCONFIRMED — requires direct contact.


PRICING: "Paket po mjeri" (custom packages only). Receiving is FREE. Sending = custom pricing.
For Bilko volume (250-10,000 invoices/month): negotiated — no published tiers.


KEY FACT FOR BILKO: Bilko does NOT need Croatian d.o.o. to call Moj-eRacun API.
Bilko (Norwegian company) calls their API. Moj-eRacun holds the posrednik cert.


Partnership contact: prodajna-podrska@moj-eracun.hr / +38517777810




DELIVERABLE 3: Sveracun (PostLink d.o.o.) — CONFIRMED PRICING



CONFIRMED PREPAID PRICING (source: https://www.sveracun.hr/cjenik, verified 2026-05-10):
No monthly minimum. Bundles valid 1 year. Includes send+receive+fiscalize+report+archive.


MINI:  120 invoices/year = 54.00 EUR excl. VAT (0.45 EUR/invoice)
PLUS:  360 invoices/year = 144.00 EUR excl. VAT (0.40 EUR/invoice)
PRO:   720 invoices/year = 259.20 EUR excl. VAT (0.36 EUR/invoice)
MAX:  1200 invoices/year = 408.00 EUR excl. VAT (0.34 EUR/invoice)


API: Available on-request ("API dokumentacija dostupna je na zahtjev")


TECHNICAL MODEL (confirmed from Sveracun website):
"Sve sto vam je potrebno je: a) aktivna registracija, b) F1 certifikat, c) ovlastenje za
fiskalizaciju u FiskAplikaciji."
= Customer holds their own F1 cert. Customer grants authorization to Sveracun in FiskAplikacija.
Sveracun then submits invoices on behalf of customer. Standard Croatian model.




DELIVERABLE 4: Path C Feasibility (Italy SDI-Style)


ITALY SDI vs CROATIA COMPARISON:


Italy: Intermediary accreditation OPTIONAL. Any software can send via SDI if technically
compliant. Software houses commonly hold delegated signing rights. No mandatory cert list.


Croatia: 34 state-certified posrednici (mandatory registration). Regulated under cybersecurity
law (NIS2 equivalent — "kljucni subjekti"). Strict cert custody rules.


CRITICAL FINA RULING (source: https://www.fina.hr/poslovni-digitalni-certifikati/poslovni-certifikati-za-fiskalizaciju):
"Certifikat moze zatraziti obveznik fiskalizacije. Informaticka tvrtka koja implementira sustav
fiskalizacije NE MOZE umjesto obveznika zatraziti certifikat."
= The FINA fiscal certificate can ONLY be requested by the taxpayer. Bilko CANNOT request it.


PATH C REALITY:



BILKO-SPECIFIC PATH C BLOCKERS:


    

  1. ZKI generation requires OIB in plaintext — L4-A encrypted per security policy; audit exception needed
    2. 

  2. MD5 in ZKI prohibited per DATA-ENCRYPTION-POLICY.md line 222 — architectural exception required
    3. 

  3. Customer FiskAplikacija setup is per-customer manual burden
    4. 

  4. No Balkan SaaS vendor precedent for Path C found
    5. 



PATH C CONCLUSION: Legally possible as tool, but cannot submit without routing through posrednik.
Path C effectively becomes Path B with more customer burden and no reduction in complexity.




DELIVERABLE 5: Croatian d.o.o. Incorporation Cost + Timeline (Path A Only)


Sources: Croatian START portal (start.gov.hr), FINA, secondary agency data.


COST BREAKDOWN:



ANNUAL ONGOING:



TIMELINE:





DELIVERABLE 6: Final Recommendation Matrix


SCORES (1=worst, 5=best):


DIMENSION                           | PATH A | PATH B | PATH C
Time to first live HR customer      |   1    |   5    |   3
Annual cost                         |   2    |   5    |   4
Legal liability exposure            |   1    |   4    |   3
Engineering complexity              |   2    |   4    |   3
Multi-market reusability            |   3    |   4    |   4
CEO control / lock-in risk          |   2    |   3    |   5
TOTAL                               |  11    |  25    |  22


RECOMMENDATION: PATH B — Partner Integration


PRIMARY PARTNER: Sveracun (PostLink d.o.o.)



SECONDARY PARTNER: Moj-eRacun (ELEKTRONICKI RACUNI d.o.o.)



TERTIARY (for multi-country scale): EDICOM or Fonoa Technologies



PER-DIMENSION RATIONALE:
Time: Path B = 60-90 days; Path A = 6-12 months
Cost: Path B = zero ALAI fixed; per-invoice passthrough with markup possible
Liability: Path B partner absorbs cert custody + 500,000 EUR fine exposure
Engineering: Path B = one API call/invoice; Path A = ZKI crypto + mTLS + cert KMS + outbox
Reusability: Partner model replicable in RS (SEF has certified operators); Path C ZKI also reusable
Control: Path C wins on autonomy but customer burden offsets at Bilko's early scale




OPEN QUESTIONS FOR DIRECT VENDOR CONTACT


    

  1. Sveracun API: Multi-tenant model? REST or SOAP? Rate limits? Contact: info@sveracun.hr
    2. 

  2. Moj-eRacun: SaaS reseller/white-label terms? Volume pricing 250-10,000/month? +38517777810
    3. 

  3. EDICOM: Croatia reseller program pricing? REST API docs? +34961366565
    4. 

  4. APIS-IT: Is eRacun 2.0 REST or SOAP? Existing SOAP endpoint cistest.apis-it.hr:8449 is
Fiscalization 1.0 (B2C). eRacun 2.0 may use Peppol/AS4 for inter-posrednik or different endpoint.
Contact: fiskalizacija.help@apis-it.hr
    5. 

  5. Posrednik certification process (Path A only): Exact criteria, timeline, cost from Porezna uprava
    6. 

  6. ZKI in Path B: Does posrednik API compute ZKI server-side, or must Bilko generate locally?
    7. 





BILKO CODEBASE: MINIMUM PATH B CHANGES


    

  1. Replace Error throw at fisk/index.ts line 103 with posrednik API HTTP call
    2. 

  2. Add jir, fiskStatus fields to Invoice model in schema.prisma (currently absent)
    3. 

  3. Add HR equivalent of SEFSubmissionQueue (Serbia outbox pattern at lines 600-618)
    4. 

  4. Change FISKConfig.certificatePath: string to posrednik API credentials config
    5. 

  5. Fix getInvoiceStatus() returning 'pending' as terminal — poll posrednik for JIR
    6. 

  6. Remove/separate legacy SOAP endpoint cistest.apis-it.hr:8449 (Fiscalization 1.0, not 2.0)
    7. 

  7. Add UI: customer onboarding flow for FiskAplikacija authorization confirmation
    8. 


                                




MC 102165 — Bilko PR #186 Deploy Evidence


Bilko PR #186 deploy evidence — MC #102165


Generated: 2026-05-26T15:30Z


Source



Stage deploy



Demo promotion



Verification



Public smoke highlights



Notes


                                




MC 102233 102335 — Bilko HR demo currency, sent-state, pricing memo


Bilko HR demo — currency/accounting + sent/pricing/contact memo


Date: 2026-05-21
MC: #102233 / #102335; parent #102219
Scope: product/demo guidance only. No code changes. Not legal/accounting advice; production rules need accountant confirmation.


Sources checked



Decisions for HR demo


1) Sales invoices in foreign currency


Demo answer: Yes, Bilko HR may allow a sales invoice to be denominated in a foreign currency, but the HR company’s base/reporting currency is EUR.


UI rule:



Copy:




Valuta računa može biti strana valuta, ali knjigovodstveni iznosi i PDV za HR tvrtku vode se u EUR.




2) Purchases/expenses in foreign currency


Demo answer: Yes, purchases/expenses can be recorded in the supplier’s original currency, but accounting/reporting remains EUR.


UI rule:



Copy:




Nabava se može unijeti u valuti dobavljača. Bilko prikazuje originalni iznos i EUR protuvrijednost za knjigovodstvo.




3) Exchange-rate rule/source/date


Demo rule: Use official HNB/CNB exchange rate for VAT/accounting conversion, with rate date based on the tax-liability/document date. For demo, use:



Guardrail: Do not silently guess missing rate/date. If missing, show “Needs rate/date confirmation” and block final accounting export.


Copy:




Tečaj: HNB, datum obveze PDV-a / datum dokumenta. Provjeriti s računovođom prije konačnog knjiženja.




4) “Invoice sent” meaning while provider-backed email/e-invoice is unverified


Demo answer: Until e-mail/eRačun/FISK delivery providers are verified, “sent” must not mean legally delivered or provider-confirmed.


Status model for demo:



UI rule:



Copy:




Označeno kao poslano u demo okruženju. Slanje putem eRačuna/e-mail integracije nije aktivno u ovoj demo verziji.




5) Subscriptions/pricing/contact support copy


Pricing copy:




Planovi su informativni za demo. Za aktivaciju i komercijalne uvjete kontaktirajte Bilko tim.




AI copy:





AI asistent je dostupan u demo okruženju za pitanja o navigaciji i radu u Bilku. Ne daje porezni ili računovodstveni savjet.




Support/contact path:
Add clear in-app support CTA separate from customer/supplier Contacts module:




Trebate pomoć? Kontaktirajte Bilko podršku: support@bilko.io




or if final support inbox is not confirmed:




Trebate pomoć? Kontaktirajte Bilko tim — kanal podrške bit će potvrđen prije produkcije.




Acceptance criteria for implementation tickets


    

  1. HR base/reporting currency is EUR in UI copy and data model.
    2. 

  2. Sales invoice can display original currency plus EUR VAT/accounting amount.
    3. 

  3. Purchases can display original currency plus EUR accounting amount.
    4. 

  4. Exchange-rate source/date are visible and stored; missing rate/date is not silently guessed.
    5. 

  5. Sent invoices do not show primary Pošalji; status clarifies manual/demo vs provider-confirmed sending.
    6. 

  6. Pricing page does not advertise unavailable AI as “coming soon” if AI is present in demo.
    7. 

  7. Contacts module remains customers/suppliers; separate support CTA exists.
    8. 

  8. No claims that eRačun, banking, OCR, email delivery, or payroll are live unless provider-backed evidence exists.
    9. 



Open confirmations before production





Independent bounded review evidence


Redzo/MLX finance-style review — MC #102335


VERDICT: ANSWERED


SUMMARY: The memo provides robust guardrails to prevent misrepresentation of accounting logic, currency handling, and delivery status during the demo phase.


BLOCKING CHANGES: none


NOTES:



Model: mlx-community/gemma-4-26b-a4b-it-4bit @ 10.0.0.2:11435
Cost: $0.00


Local evidence paths


                                




Bilko demo — 7 real-user bug fixes + live verification (MC #102887) — 2026-06-04


Summary


CEO smoke-tested the live Bilko demo and found real bugs in minutes that the prior Phase-B QA (#102883) missed because it tested API-with-token, not real UI clicks. This task ran a REAL-USER browser walkthrough, found 7 bugs, fixed all 7, and LIVE-verified them on bilko-demo.alai.no.


The 7 bugs (all fixed + live-verified)


    

  1. PDV €NaN on invoice detail — vatRate undefined (backend serializes taxAmount); fixed formatCurrency NaN-guard + vatAmount ?? taxAmount. Live: now €30,50.
    2. 

  2. No pagination on invoice list — added server-side pagination controls (shows when >1 page).
    3. 

  3. Draft save → 400customerId required unconditionally + e-invoice XML generated for drafts. Fixed: V63 migration (customer_id nullable), skip e-invoice for drafts.
    4. 

  4. /pricing 401 on /me/trial + /chatbot/history — components fired before auth hydrated. Fixed: auth guard (isAuthenticated && !authLoading) on TrialBanner + pricing/page.tsx.
    5. 

  5. PDF download no refresh-on-401 — added refresh-and-retry to downloadPdf in api.ts.
    6. 

  6. Credit-note button shown but 403 — gated button on plan (planTier added to /auth/me; hidden for BASIC).
    7. 

  7. Trial banner "26874 dana" — TrialService caps >3650 days; banner guards.
    8. 



Critical deploy lesson (worth remembering)


A "green build" with the correct git-sha label did NOT mean the fix was live:



Deploy + verification



Process takeaways


                                




Bilko Demo Event-Loop Freeze — Root Cause, Fix & Hardening (2026-06-08, MC #103134)


Bilko Demo Event-Loop Freeze — Root Cause, Fix & Hardening (2026-06-08, MC #103134)



1. Incident Summary


Date: 2026-06-08

Service: bilko-api-demo (Cloud Run, europe-north1, tribal-sign-487920-k0)

Live revision at incident: bilko-api-demo-00139-b26 (git sha c8dfb6c)

MC: #103134 (child of #103132)

Detected by: CEO (Alem Basic) — no automated alerts existed



Symptom: POST /api/v1/auth/login and GET /api/v1/health intermittently returned HTTP 504 with server-side latency of exactly 59.999 s (Cloud Run hard timeout). Observed failure rate: 17–25% of requests. Both endpoints froze simultaneously on both Cloud Run instances. A manual container restart did not fix the issue.



Why restart did not help: The blocking code paths are baked into the deployed image (c8dfb6c). The freeze re-triggers the moment any user navigates to Reports or Billing/Usage, which re-executes the same bare JDBC calls on the Netty event-loop thread.






2. Root Cause — Causal Chain


Source: 5-agent synthesis (petter-synthesis.md) + source-verified app-layer audit (dev-applayer.md) + data/storage audit (devops2-data.md).



2.1 Ktor Netty Thread Pool Exhaustion (Primary)


Ktor runs on Netty. On a 1-vCPU Cloud Run container with no callGroupSize set (main branch pre-fix), Netty defaults to approximately 2 call-handling threads. With containerConcurrency=8, Cloud Run routes up to 8 simultaneous requests into the container, all competing for those 2 threads.


Any route that executes a bare orgTransaction() call — not wrapped in dbQuery{} — runs its JDBC work directly on the Netty call thread, blocking it for the duration of the DB round-trip (10–100 ms typical, up to 30 s if HikariCP must wait for a pool slot). With only 2 call threads and 8 concurrent slots, two simultaneous requests to a bare-orgTransaction route exhaust both call threads. The event loop is frozen.



Confirmed bare orgTransaction sites on main at incident time:




FileLine(s)Route



ReportRoutes.kt26GET /reports (country lookup)


ReportRoutes.kt240GET /reports/kpo (country pre-check)


ReportRoutes.kt264GET /reports/kpo/export/pdf (country pre-check)


ReportRoutes.kt285GET /reports/kpo/export/xlsx (country pre-check)


BillingRoutes.kt214GET /billing/usage (plan tier + invoice count)


MarketRoutes.kt2 sitesresolveMarketPlugin call sites


ResourceAccessFilter.ktmultiplePer-request security filter


Authentication.ktimpersonation pathPer impersonation request






2.2 PermissionService.loadFromDb — New RBAC Blocking Call (Critical, Entra cutover)


The Entra External ID cutover (MC #103140) introduced RBAC via requirePermission(), which is called on every authenticated request across all 17 route files. On first call per role (4 roles: owner/admin/accountant/viewer), resolve() calls loadFromDb():


// BEFORE fix — blocking on Netty event-loop thread
private fun loadFromDb(role: String): Set<String> {
    return transaction {  // bare JDBC on Netty thread
        RolePermissionsTable.selectAll()...
    }
}


This fires on every cold-start / scale-out event for every authenticated route. Without the fix, the Entra cutover would have immediately re-introduced a freeze worse than the original: 4 role cache-misses per instance restart, each running blocking JDBC on the event loop. Source: /tmp/evidence-103134/rebase-on-entra.md.



2.3 HikariCP connectionTimeout=30,000 ms (Secondary Amplifier)


When the Dispatchers.IO pool workers (correctly dispatched DB calls) hit HikariCP pool pressure — 10 connections shared across 8 concurrent slots — a pool-borrow wait can last up to 30 s per request. Two stacked pool-borrow waits = 60 s = Cloud Run hard kill. This amplifier remains even after the bare-orgTransaction calls are fixed; it is addressed separately by reducing connectionTimeout to 5 s (P0.3).



2.4 Why /health Freezes (Not a DB Problem)


HealthRoutes.kt lines 10–21 are confirmed DB-independent (zero blocking calls, pure in-memory response). The health freeze is not because health touches the DB — it is because both Netty call threads are occupied by blocked orgTransaction callers. Health cannot be scheduled. The TCP startup probe continues to pass because the JVM still has port 4001 bound; only HTTP scheduling is stalled.



2.5 Why Login Freezes (Login Is the Victim, Not the Cause)


AuthRoutes.kt line 150 correctly wraps login in dbQuery{}. Login itself is not a blocking caller. Login freezes because it cannot obtain a call thread to execute — both threads are consumed by the bare-orgTransaction routes.



2.6 Tertiary — Absent Server-Side DB Timeouts


No statement_timeout, idle_in_transaction_session_timeout, or lock_timeout on Cloud SQL (confirmed: databaseFlags null). A single slow query (vacuum contention on db-f1-micro, missing index on a growing table) holds a pool connection indefinitely, compounding pool pressure.



2.7 gcsfuse Is Not a Cause of Auth/Health Freezes


gcsfuse GC timestamps do not align with freeze onsets (GC at 06:35:04 UTC, freeze at 06:34:52 and 06:35:43). Login does no file I/O. gcsfuse FUSE blocking I/O affects receipt endpoints only; it is a separate hygiene issue and was also offloaded to Dispatchers.IO in the fix.






3. Fix Applied (MC #103134)


Branch: fix/demo-freeze-on-entra-103134, commit 5252182, rebased on origin/main @ b21b366 (Entra cutover). Merged as PR #279 → main 839ee7f. Source: /tmp/evidence-103134/rebase-on-entra.md.



Code Fixes




FileChange



routes/ReportRoutes.kt (4 sites)Bare orgTransaction → wrapped in dbQuery{}


routes/BillingRoutes.kt (line 214)Bare orgTransaction in /billing/usage → dbQuery{}


routes/MarketRoutes.kt (2 sites)resolveMarketPlugin call sites → dbQuery{}


plugins/ResourceAccessFilter.ktfetchResourceOwner + logSecurityViolation → suspend + withContext(IO); Thread.sleep → delay


plugins/Authentication.ktImpersonation transaction → withContext(Dispatchers.IO)


services/PermissionService.kt (new finding)loadFromDb() → runBlocking { withContext(Dispatchers.IO) { ... } } — RBAC per-request DB call offloaded


services/ReceiptService.ktreadLocalDocument + persistLocalIfEnabled → suspend + withContext(IO)


routes/ExpenseRoutes.ktreadLocalDocument moved out of dbQuery{} (now suspend-safe)


plugins/Database.ktconnectionTimeout 30,000 → 5,000 ms


routes/HealthRoutes.ktAdded GET /api/v1/health/deep — DB-touching endpoint with withTimeout 3 s + Dispatchers.IO + SELECT 1






Infrastructure Fixes (cloudbuild-stage.yaml + cloudbuild.yaml)




ChangeValue



Memory512 Mi → 1 Gi


Liveness probehttpGet /api/v1/health/deep, port 4001, initialDelaySeconds 30, periodSeconds 30, failureThreshold 2, timeoutSeconds 8


Startup probehttpGet /api/v1/health (was TCP), port 4001, periodSeconds 10, failureThreshold 3, timeoutSeconds 5


containerConcurrency80 → 8 (in cloudbuild-demo-api.yaml; applied to stage + demo templates)






Build and Test Results


./gradlew build -x detekt → BUILD SUCCESSFUL in 12s
Tests: 2561 passed, 1 skipped (EntraLiveCiamTokenWp5Test — stale token, assumeTrue guard), 0 failures



PermissionService Cache Note


The 4-role cache (one entry per role after first load) bounds future DB hits. Pre-warming the cache at JVM startup is recommended as a follow-on polish task (task #7), but is not a blocker for the freeze fix: the IO offload alone prevents the event-loop block on cold misses.






4. Industry-Standard Scorecard


Condensed from petter-synthesis.md §2. Full details in audit reports.



Application Layer




ComponentAssessmentFinding



Ktor/Netty callGroupSizeDEVIATES (pre-fix)No callGroupSize set on main. Defaults to ~2 call threads on 1 vCPU. Fix branch sets callGroupSize=32; must be confirmed active in Cloud Run (env var KTOR_CALL_GROUP_SIZE=32 or production application.yaml profile).


dbQuery{} disciplineDEVIATES → FIXED5 confirmed bare orgTransaction sites + PermissionService.loadFromDb all wrapped in this fix. 97 raw transaction{} calls in repo; remaining ones are safely nested inside outer dbQuery{} or on non-hot paths.


Login path (AuthRoutes.kt:150)STANDARDCorrectly wraps in dbQuery{}. Login was the victim of thread starvation, not a cause.


BCrypt dispatcherDEVIATES (minor)BCrypt (CPU-bound, 250–400 ms) runs on Dispatchers.IO (I/O-bound). Not the freeze cause but degrades throughput. Move to Dispatchers.Default is a follow-on (P1.3).


HikariCP connectionTimeoutDEVIATES → FIXED30,000 ms → 5,000 ms. Pool-borrow wait now fails fast with 503 in 5 s.


Login 3-transaction pool pressureDEVIATESAuthService.login() makes 3 separate orgTransaction{} calls (3 pool borrows per login). Follow-on: consolidate to 1 (P1.1).


Server-side RequestTimeoutDEVIATESNo Ktor RequestTimeout plugin. Stuck handlers are killed by Cloud Run at 60 s, not the app at 10 s. Follow-on: P1.5.


/health endpointSTANDARDDB-independent, correct. Preserved as-is for startup probe.


/health/deep endpointADDEDNew DB-touching endpoint (SELECT 1 via HikariCP, 3 s internal timeout). Returns 200 {db:up} or 503 {db:down}.


gcsfuse (ReceiptService)DEVIATES → FIXED (hygiene)Blocking POSIX I/O on FUSE mount offloaded to withContext(IO). Not the auth/health freeze cause, but blocks safe concurrency > 1–8 without this fix.






Infrastructure Layer




ComponentAssessmentFinding



containerConcurrencyDEVIATES8 with blocking event-loop paths present. Correct value is 1 until all blocking paths are confirmed on Dispatchers.IO. Prior safe state (v0.2.33) was concurrency=1. Fix branch applies concurrency=8 in cloudbuild templates (improvement from 80 default; full concurrency=1 revert deferred pending gcsfuse→SDK swap per P1.2).


minScale/maxScaleDEVIATESmin=2, max=2. Pinned — no relief valve. With maxScale=2 and both instances holding frozen slots, no new instance can absorb traffic. Follow-on: maxScale=5 paired with pool=2 (P2.2).


HikariCP pool mathFRAGILEpool=10, maxScale=2 = 20 connections vs ~22 usable on db-f1-micro. Within bounds by 2 connections only. Any scale-up to 3 instances without reducing pool causes exhaustion.


Cloud SQL databaseFlagsDEVIATESZero flags. No statement_timeout, no idle_in_transaction_session_timeout, no lock_timeout. Follow-on: MC #103133 (blocked on GCP-write channel MC #103149).


Cloud SQL tierDEVIATESdb-f1-micro: max_connections=25, shared CPU, VACUUM contention risk. Follow-on recommendation: db-g1-small minimum for customer-facing demo.


Liveness probeABSENT → ADDEDHTTP liveness on /health/deep added. Without it, frozen containers ran for the full incident duration with no auto-recovery.


Startup probeDEVIATES → FIXEDWas TCP period=240s failureThreshold=1 timeout=240s. Now HTTP GET /health period=10s failureThreshold=3 timeout=5s.


Cloud Monitoring alertsDEVIATES (critical)0 policies (confirmed: gcloud monitoring policies list = 0 items). Incident was CEO-detected. Follow-on: P2.1 (5 alert policies).


MemoryDEVIATES → FIXED512 Mi → 1 Gi. JVM + HikariCP + gcsfuse daemon on 512 Mi was tight; GC pressure is a secondary freeze vector.


Cloud SQL public IPDEVIATESipv4Enabled=true. No unauthorized networks found (mitigated), but public attack surface exists. Follow-on: private IP + VPC (P2 hardening).


CPU throttling / startup-cpu-boost / gen2STANDARDAll correct. No change needed.









5. Deploy Path and Cross-Session Coordination


Source: /tmp/alai/p2p-pairing-evidence/john-7fedd67f-freeze-fix-coordination-20260608.md



This fix was developed in session 7fedd67f and rebased on top of the Entra External ID cutover branch (b21b366). The coordination agreement between the freeze-fix session and the Entra/RBAC workstream (MC #103080, Phase 4) is:



    

  1. Step 1 (complete): PR #279 merged fix/demo-freeze-on-entra-103134 → main (839ee7f). Stage auto-deploy triggered (bilko-stage-auto-deploy: push to ^main$ → cloudbuild-stage.yaml). Stage revision bilko-api-stage-00531-cub deployed.
    2. 

  2. Step 2 (pending): Demo and production semver tag is owned by the Entra/RBAC workstream (MC #103080). That single semver tag vX.Y.Z ships Entra + RBAC + freeze fix together, via bilko-main-deploy trigger (^v.*$ → cloudbuild.yaml, 8 gates + approval). Neither session tags unilaterally.
    3. 




Deploy pipeline mechanics (verified):







6. Proveo Stage Validation — PASS


Source: /tmp/evidence-103134/proveo-stage-verdict.json + /tmp/evidence-103134/proveo-stage-validation.md

Timestamp: 2026-06-08T09:54:10Z

Revision: bilko-api-stage-00531-cub (git sha 839ee7f)





CheckResultDetail



#1 /health x30 sequentialPASS0/30 failures, max latency 170 ms


#1b /health x20 concurrentPASS0/20 failures, max latency 279 ms


#2 /health/deep x15 (DB-touching)PASSEndpoint present, db:up, all under 200 ms


#3 Concurrency starvation test (6 waves x20 = 120 requests)PASS0 non-200, 0x 504@60s. Wave 1 had 2/20 requests at ~10.8 s (HTTP 200, pool warm-up artifact, not freeze). Waves 2–6: zero over 2 s. Original 504@59.999s pattern NOT observed.


#4 Auth pathPASSPOST /auth/login → 410 (legacy retired); POST /auth/entra/session (invalid) → 400; GET /invoices (no auth) → 401; GET /contacts (no auth) → 401. Entra + RBAC enforced.


#5 Probe configPASSlivenessProbe httpGet /health/deep present; startupProbe httpGet /health present; memory 1Gi; git sha 839ee7f confirmed.






Overall verdict: PASS. The event-loop freeze fix is confirmed on stage. The original 504@59.999s symptom is not reproduced under sustained concurrent load.



Caveat: Wave 1 had 2 requests at ~10.8 s (HTTP 200, not 504) — confirmed as connection pool warm-up artifact on first concurrent burst. Not a freeze regression. Waves 2–6 (100 requests) were all under 2 s.






7. Follow-Up Tasks




MCItemStatus



#103133Cloud SQL statement_timeout + idle_in_transaction_session_timeout + lock_timeout (gcloud sql instances patch)Blocked on GCP-write channel MC #103149


#103148Gate wc bug (claim-gate stale-transcript count issue)Open


#103173Claim-gate stale-transcript loopOpen


#103138This documentation page (WS-D)Complete (this page)


Task #7PermissionService pre-warm cache at JVM startup (recommended polish)Deferred


P1.1Consolidate AuthService.login() 3 transactions into 1 (reduce pool borrows per login from 3 to 1)Deferred — daytime review


P1.2Replace gcsfuse with GCS Storage SDK in ReceiptService (unlock safe concurrency > 8)Deferred


P1.5Install Ktor RequestTimeout plugin (force-kill stuck handlers at 10 s, return 503)Deferred


P2.1Create 5 Cloud Monitoring alert policies (5xx rate, p99 latency, instance ceiling, Cloud SQL connections, /health/deep uptime)Deferred — no blocking dependency


P2.2Scaling fix: containerConcurrency=1, maxScale=5, pool=2 (requires P1.2 gcsfuse→SDK first)Deferred


P2.6Add k6 event-loop-freeze regression gate to CI (tests/k6/event-loop-freeze.js)Deferred — spec in test-observability.md §4 B5









8. Evidence References

                                




Bilko Demo Event-Loop Freeze — Root Cause, Fix & Hardening (2026-06-08, MC #103134)


Bilko Demo Event-Loop Freeze — Root Cause, Fix & Hardening (2026-06-08, MC #103134)



1. Incident Summary


Date: 2026-06-08

Service: bilko-api-demo (Cloud Run, europe-north1, tribal-sign-487920-k0)

Live revision at incident: bilko-api-demo-00139-b26 (git sha c8dfb6c)

MC: #103134 (child of #103132)

Detected by: CEO (Alem Basic) — no automated alerts existed



Symptom: POST /api/v1/auth/login and GET /api/v1/health intermittently returned HTTP 504 with server-side latency of exactly 59.999 s (Cloud Run hard timeout). Observed failure rate: 17–25% of requests. Both endpoints froze simultaneously on both Cloud Run instances. A manual container restart did not fix the issue.



Why restart did not help: The blocking code paths are baked into the deployed image (c8dfb6c). The freeze re-triggers the moment any user navigates to Reports or Billing/Usage, which re-executes the same bare JDBC calls on the Netty event-loop thread.






2. Root Cause — Causal Chain


Source: 5-agent synthesis (petter-synthesis.md) + source-verified app-layer audit (dev-applayer.md) + data/storage audit (devops2-data.md).



2.1 Ktor Netty Thread Pool Exhaustion (Primary)


Ktor runs on Netty. On a 1-vCPU Cloud Run container with no callGroupSize set (main branch pre-fix), Netty defaults to approximately 2 call-handling threads. With containerConcurrency=8, Cloud Run routes up to 8 simultaneous requests into the container, all competing for those 2 threads.


Any route that executes a bare orgTransaction() call not wrapped in dbQuery{} runs its JDBC work directly on the Netty call thread, blocking it for the duration of the DB round-trip (10–100 ms typical, up to 30 s if HikariCP must wait for a pool slot). With only 2 call threads and 8 concurrent slots, two simultaneous requests to a bare-orgTransaction route exhaust both call threads. The event loop is frozen.



Confirmed bare orgTransaction sites on main at incident time:




FileLine(s)Route



ReportRoutes.kt26GET /reports (country lookup)


ReportRoutes.kt240GET /reports/kpo (country pre-check)


ReportRoutes.kt264GET /reports/kpo/export/pdf (country pre-check)


ReportRoutes.kt285GET /reports/kpo/export/xlsx (country pre-check)


BillingRoutes.kt214GET /billing/usage (plan tier + invoice count)


MarketRoutes.kt2 sitesresolveMarketPlugin call sites


ResourceAccessFilter.ktmultiplePer-request security filter


Authentication.ktimpersonation pathPer impersonation request






2.2 PermissionService.loadFromDb — New RBAC Blocking Call (Critical, Entra cutover)


The Entra External ID cutover (MC #103140) introduced RBAC via requirePermission(), which is called on every authenticated request across all 17 route files. On first call per role (4 roles: owner/admin/accountant/viewer), resolve() calls loadFromDb():


// BEFORE fix — blocking on Netty event-loop thread
private fun loadFromDb(role: String): Set<String> {
    return transaction {  // bare JDBC on Netty thread
        RolePermissionsTable.selectAll()...
    }
}


This fires on every cold-start / scale-out event for every authenticated route. Without the fix, the Entra cutover would have immediately re-introduced a freeze worse than the original: 4 role cache-misses per instance restart, each running blocking JDBC on the event loop. Source: /tmp/evidence-103134/rebase-on-entra.md.



2.3 HikariCP connectionTimeout=30,000 ms (Secondary Amplifier)


When the Dispatchers.IO pool workers (correctly dispatched DB calls) hit HikariCP pool pressure — 10 connections shared across 8 concurrent slots — a pool-borrow wait can last up to 30 s per request. Two stacked pool-borrow waits = 60 s = Cloud Run hard kill. This amplifier remains even after the bare-orgTransaction calls are fixed; it is addressed by reducing connectionTimeout to 5 s (P0.3).



2.4 Why /health Freezes (Not a DB Problem)


HealthRoutes.kt lines 10–21 are confirmed DB-independent (zero blocking calls, pure in-memory response). The health freeze is not because health touches the DB. It freezes because both Netty call threads are occupied by blocked orgTransaction callers. Health cannot be scheduled. The TCP startup probe continues to pass because the JVM still has port 4001 bound; only HTTP scheduling is stalled.



2.5 Why Login Freezes (Login Is the Victim, Not the Cause)


AuthRoutes.kt line 150 correctly wraps login in dbQuery{}. Login itself is not a blocking caller. Login freezes because it cannot obtain a call thread to execute — both threads are consumed by the bare-orgTransaction routes.



2.6 Tertiary — Absent Server-Side DB Timeouts


No statement_timeout, idle_in_transaction_session_timeout, or lock_timeout on Cloud SQL (confirmed: databaseFlags null). A single slow query holds a pool connection indefinitely, compounding pool pressure.



2.7 gcsfuse Is Not a Cause of Auth/Health Freezes


gcsfuse GC timestamps do not align with freeze onsets (GC at 06:35:04 UTC, freeze at 06:34:52 and 06:35:43). Login does no file I/O. gcsfuse FUSE blocking I/O affects receipt endpoints only; it is a separate hygiene issue and was also offloaded to Dispatchers.IO in the fix.






3. Fix Applied (MC #103134)


Branch: fix/demo-freeze-on-entra-103134, commit 5252182, rebased on origin/main @ b21b366 (Entra cutover). Merged as PR #279 to main 839ee7f. Source: /tmp/evidence-103134/rebase-on-entra.md.



Code Fixes




FileChange



routes/ReportRoutes.kt (4 sites)Bare orgTransaction wrapped in dbQuery{}


routes/BillingRoutes.kt (line 214)Bare orgTransaction in /billing/usage wrapped in dbQuery{}


routes/MarketRoutes.kt (2 sites)resolveMarketPlugin call sites wrapped in dbQuery{}


plugins/ResourceAccessFilter.ktfetchResourceOwner + logSecurityViolation made suspend + withContext(IO); Thread.sleep replaced with delay


plugins/Authentication.ktImpersonation transaction wrapped in withContext(Dispatchers.IO)


services/PermissionService.kt (new finding)loadFromDb() now uses runBlocking { withContext(Dispatchers.IO) { ... } } — RBAC per-request DB call offloaded from event loop


services/ReceiptService.ktreadLocalDocument + persistLocalIfEnabled made suspend + withContext(IO)


routes/ExpenseRoutes.ktreadLocalDocument call moved out of dbQuery{} (now suspend-safe directly)


plugins/Database.ktconnectionTimeout 30,000 ms reduced to 5,000 ms


routes/HealthRoutes.ktAdded GET /api/v1/health/deep — DB-touching endpoint with withTimeout 3 s + Dispatchers.IO + SELECT 1






Infrastructure Fixes (cloudbuild-stage.yaml + cloudbuild.yaml)




ChangeBeforeAfter



Memory512 Mi1 Gi


Liveness probeNonehttpGet /api/v1/health/deep, port 4001, initialDelaySeconds 30, periodSeconds 30, failureThreshold 2, timeoutSeconds 8


Startup probe typeTCP port 4001, period 240s, failureThreshold 1, timeout 240shttpGet /api/v1/health, port 4001, period 10s, failureThreshold 3, timeout 5s


containerConcurrency (cloudbuild templates)80 (default)8






Build and Test Results


./gradlew build -x detekt: BUILD SUCCESSFUL in 12s
Tests: 2561 passed, 1 skipped (EntraLiveCiamTokenWp5Test — assumeTrue on stale token file), 0 failures






4. Industry-Standard Scorecard


Condensed from petter-synthesis.md section 2. Full findings in layer audit files.



Application Layer Deviations




ComponentStatusFinding



Ktor/Netty callGroupSizeDEVIATES (pre-fix)Defaults to ~2 call threads on 1 vCPU when unset. callGroupSize=32 added in fix; must be confirmed in Cloud Run env (KTOR_CALL_GROUP_SIZE=32 or production profile).


dbQuery{} disciplineFIXED5 bare orgTransaction sites + PermissionService.loadFromDb all wrapped. Remaining raw transaction{} calls are safely nested inside outer dbQuery{} or on non-hot paths.


Login pathSTANDARDAuthRoutes.kt:150 correctly wraps in dbQuery{}. Login was the victim of thread starvation, not a cause.


BCrypt dispatcherDEVIATES (minor)BCrypt (CPU-bound 250–400 ms) runs on Dispatchers.IO. Should be Dispatchers.Default. Not the freeze cause. Follow-on P1.3.


HikariCP connectionTimeoutFIXED30,000 ms reduced to 5,000 ms. Pool-borrow wait now fails fast with 503.


Login transaction countDEVIATESAuthService.login() makes 3 separate orgTransaction{} calls (3 pool borrows). Follow-on P1.1: consolidate to 1.


Ktor RequestTimeout pluginDEVIATESNot installed. Stuck handlers held until Cloud Run kills at 60 s. Follow-on P1.5: add 10 s server-side timeout.


/health/deep endpointADDEDDB-touching SELECT 1, 3 s internal timeout, returns 200 {db:up} or 503.


gcsfuse (ReceiptService)FIXED (hygiene)Blocking POSIX FUSE I/O offloaded to withContext(IO). Not the auth/health freeze cause, but blocked safe concurrency > 1–8.






Infrastructure Layer Deviations




ComponentStatusFinding



containerConcurrencyDEVIATES8 with blocking paths present. Industry standard: 1 until all blocking DB/IO paths are on Dispatchers.IO. Reduced from 80 to 8 in fix; full revert to 1 deferred pending gcsfuse SDK swap (P1.2).


minScale/maxScaleDEVIATESmin=2 max=2 — no scaling relief valve. With both instances holding frozen slots, no new instance absorbs traffic. Follow-on P2.2: maxScale=5 + pool=2.


HikariCP pool mathFRAGILEpool=10, maxScale=2 = 20 connections vs ~22 usable on db-f1-micro. Within bounds by 2 connections only.


Cloud SQL databaseFlagsDEVIATESZero flags. No statement_timeout (follow-on MC #103133, blocked on MC #103149), no idle_in_transaction_session_timeout, no lock_timeout.


Liveness probeADDEDHTTP liveness on /health/deep. Without it, frozen containers ran for the entire incident duration with no auto-recovery.


Startup probeFIXEDTCP 240s/1 threshold → HTTP GET /health 10s/3 threshold.


Cloud Monitoring alertsDEVIATES0 policies (gcloud monitoring policies list = 0 items confirmed 2026-06-08T08:54 UTC). Incident was CEO-detected. Follow-on P2.1: 5 alert policies.


MemoryFIXED512 Mi to 1 Gi. JVM + HikariCP + gcsfuse daemon on 512 Mi was tight.


Cloud SQL public IPDEVIATESipv4Enabled=true. No open authorized networks found (mitigated), but public surface exists. Follow-on: private IP + VPC.









5. Deploy Path and Cross-Session Coordination


Source: /tmp/alai/p2p-pairing-evidence/john-7fedd67f-freeze-fix-coordination-20260608.md



This fix was developed in session 7fedd67f, rebased on the Entra External ID cutover branch (b21b366), and coordinated with the Entra/RBAC workstream (MC #103080, Phase 4). The agreed sequence:



    

  1. Step 1 (complete): PR #279 merged fix/demo-freeze-on-entra-103134 to main (839ee7f). Stage auto-deploy triggered. Stage revision bilko-api-stage-00531-cub deployed. Proveo PASS issued.
    2. 

  2. Step 2 (pending): Demo and production semver tag is owned by the Entra/RBAC workstream (MC #103080). That single semver tag vX.Y.Z ships Entra + RBAC + freeze fix together via bilko-main-deploy trigger. Neither session tags unilaterally.
    3. 




Deploy pipeline mechanics (tool-verified):







6. Proveo Stage Validation — PASS


Source: /tmp/evidence-103134/proveo-stage-verdict.json + /tmp/evidence-103134/proveo-stage-validation.md

Timestamp: 2026-06-08T09:54:10Z | Revision: bilko-api-stage-00531-cub (git sha 839ee7f)





CheckResultDetail



/health x30 sequentialPASS0/30 failures, max latency 170 ms


/health x20 concurrentPASS0/20 failures, max latency 279 ms


/health/deep x15 (DB-touching)PASSEndpoint present, db:up, all under 200 ms


Concurrency starvation test (6 waves x20 = 120 requests)PASS0 non-200, 0x 504@60s. Wave 1: 2/20 requests at ~10.8 s HTTP 200 (pool warm-up artifact, not freeze). Waves 2–6: zero over 2 s. Original 504@59.999s pattern NOT observed.


Auth pathPASSPOST /auth/login 410 (legacy retired); POST /auth/entra/session (invalid) 400; GET /invoices (no auth) 401; GET /contacts (no auth) 401. Entra + RBAC enforced.


Probe configPASSlivenessProbe httpGet /health/deep present; startupProbe httpGet /health present; memory 1Gi; git sha 839ee7f confirmed.






Overall verdict: PASS. The event-loop freeze fix is confirmed on stage. The original 504@59.999s symptom is not reproduced under sustained concurrent load. All DB-touching paths return fast. Entra-only auth path correctly enforced.






7. Follow-Up Tasks




MC / ItemDescriptionStatus



MC #103133Cloud SQL statement_timeout + idle_in_transaction_session_timeout + lock_timeoutBlocked on GCP-write channel MC #103149


MC #103148Gate wc bugOpen


MC #103173Claim-gate stale-transcript loopOpen


Task #7PermissionService pre-warm cache at JVM startup (4-role cache hit on first request, no cold DB miss)Deferred — recommended polish


P1.1Consolidate AuthService.login() 3 transactions into 1 (reduce pool borrows per login from 3 to 1)Deferred


P1.2Replace gcsfuse with GCS Storage SDK in ReceiptService (prerequisite for safe containerConcurrency > 8)Deferred


P1.3Move BCrypt from Dispatchers.IO to Dispatchers.Default (CPU-bound work on correct dispatcher)Deferred


P1.5Install Ktor RequestTimeout plugin (force-kill stuck handlers at 10 s, return 503 not 504)Deferred


P2.1Create 5 Cloud Monitoring alert policies (5xx rate, p99 latency, instance ceiling, Cloud SQL connections, /health/deep uptime)Deferred — no blocking dependency


P2.2Scaling fix: containerConcurrency=1, maxScale=5, pool=2 (requires P1.2 first)Deferred pending P1.2


P2.6Add k6 event-loop-freeze regression gate to CI (spec in test-observability.md section 4 B5)Deferred









8. Evidence References

                                




Bilko Environment Topology — Corrected Canonical Reference (2026-06-09)


Bilko Environment Topology — Corrected Canonical Reference


As of: 2026-06-09 | Authority: MC #103300 C7 (ZAKON PLAN docs) | Source: Tool-verified facts only — no inferred data






1. Production — Customer-Facing


CEO Decision (2026-06-09): Demo Cloud Run services reused as production ($0 new infra). There is no separate prod Cloud Run deployment.





DomainCloud Run ServiceDNSTLSDatabase



app.bilko.cloudbilko-web-demoCloudflare CNAME → ghs.googlehosted.com (grey/DNS-only)Google-managed cert (provisioned)bilko-demo-db (PostgreSQL 15)


app-api.bilko.cloudbilko-api-demoCloudflare CNAME → ghs.googlehosted.com (grey/DNS-only)Google-managed cert (provisioned)






Self-Serve Onboarding




AI Chatbot







2. Marketing Landings (Cloudflare Pages)




DomainApp / PathCTA destination



bilko.cloudapps/landing-hrapp.bilko.cloud


bilko.ioapps/landing-ioapp.bilko.cloud


bilko.companyapps/landing-baapp.bilko.cloud










3. Stage — UAT + Seed / Demo




DomainCloud Run ServiceDatabaseRole



bilko-demo.alai.nobilko-web-stagebilko-staging-db (PostgreSQL 16)UAT, internal QA, seeded demo data


bilko-demo-api.alai.nobilko-api-stage





Note: The bilko-demo.alai.no and bilko-demo-api.alai.no domain mappings remain live and now serve the stage/UAT role (not production-customer-facing).






4. CI/CD Pipeline




TriggerCloud Build ConfigDeploys to



Push to main branchcloudbuild-stage.yamlStage (bilko-web-stage, bilko-api-stage, bilko-staging-db)


Semver tag vX.Y.Zcloudbuild.yamlDemo/Prod (bilko-web-demo, bilko-api-demo, bilko-demo-db)





Known issue MC #103304: GitHub Actions is currently DOWN due to billing. This affects any workflows running in GitHub Actions; Cloud Build triggers (above) are unaffected.






5. Known Issues & Orphaned Resources




MC / RefIssueStatus



MC #103304GitHub Actions billing — Actions disabledOpen


MC #103308Landing deploy-dir: workflow deploys root, not out/; manual wrangler deploy applied 2026-06-09Open


MC #103296Orphaned OAuth brand / project 762788903040 — not linked to any active serviceOpen


Retiredapi.bilko.cloud legacy domain — retired, no active Cloud Run mappingRetired 2026-06-09


AvoidedTwo-V70 migration collision — resolved, no duplicate V70 migration in flightResolved 2026-06-09









6. Architecture Diagram



┌─────────────────────────────────────────────────────────────────────┐
│  PRODUCTION (customer-facing)                                       │
│                                                                     │
│  bilko.cloud ─────┐                                                 │
│  bilko.io ────────┼──► Cloudflare Pages (landing-hr/io/ba)         │
│  bilko.company ───┘         │ CTA                                   │
│                             ▼                                       │
│  app.bilko.cloud ──► [CF DNS-only CNAME] ──► bilko-web-demo        │
│  app-api.bilko.cloud ─► [CF DNS-only CNAME] ──► bilko-api-demo     │
│                                        │              │             │
│                                   Google TLS    bilko-demo-db      │
│                                                   (PG15, RLS)      │
│                                                                     │
│  Entra External ID (CIAM) → email OTP → JIT tenant + 7-day trial  │
│  AI: Groq → Ollama → Anthropic (tier-router)                       │
└─────────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────────┐
│  STAGE (UAT / internal demo / seeded data)                         │
│                                                                     │
│  bilko-demo.alai.no ────► bilko-web-stage                          │
│  bilko-demo-api.alai.no ─► bilko-api-stage                         │
│                                        │                            │
│                                bilko-staging-db (PG16)             │
└─────────────────────────────────────────────────────────────────────┘

CI/CD:
  push main → cloudbuild-stage.yaml → STAGE
  tag vX.Y.Z → cloudbuild.yaml → DEMO/PROD







7. Decision Log




DateDecisionAuthority



2026-06-09Reuse bilko-web-demo / bilko-api-demo as production endpoints ($0 new infra)CEO (Alem Basic)


2026-06-09GROQ_API_KEY bound to bilko-api-demo (was missing, broke AI chatbot)MC #103300 fix


2026-06-09All landing CTA hrefs verified pointing to app.bilko.cloudMC #103300 C7 verification


2026-06-09Legacy api.bilko.cloud domain retiredMC #103300








Generated by Skillforge (MC #103300 C7). Facts tool-verified in session 2026-06-09. Next review: on any topology change or new domain mapping.
                                




Bilko Infrastruktura — objašnjeno jednostavno (za CEO) — 2026-06-09


Bilko Infrastruktura — objašnjeno jednostavno (za CEO)


Verzija 2026-06-09. Cilj: da za 5 minuta razumiješ gdje Bilko živi, kako kod dođe do kupaca, šta je polomljeno i kako to zaobilazimo. Sve provjereno uživo (gcloud), ne napamet.






KORAK 1 — Šta gdje radi (okruženja)



Bilko ima 7 Cloud Run "mašina", ali realno samo 2 okruženja:



PROD  (ono što kupci vide — pravi proizvod, čist, bez demo podataka)
   app.bilko.cloud       ->  bilko-web-demo    (web,  Next.js)
   app-api.bilko.cloud   ->  bilko-api-demo    (API,  Kotlin/Ktor)
                                 |
                             bilko-demo-db     (Postgres 16)

STAGE  (za testiranje prije proda — UAT)
   (interni URL-ovi)     ->  bilko-web-stage  +  bilko-api-stage
                                 |
                             bilko-staging-db




⚠️ Zašto je zbunjujuće: IMENA LAŽU


Servisi se zovu ...-demo ali su to PROD. Razlog: odlučili smo "reuse demo kao prod" da ne plaćamo novu bazu/servise (0 KM dodatno). Pa app.bilko.cloud (tvoj pravi proizvod) radi na mašini koja se istorijski zove bilko-web-demo. Ime = ostatak iz prošlosti, ne realnost.



Ostalo (nije bitno za sad)







KORAK 2 — Kako kod dođe iz editora na te mašine (deploy)



Postoje tri odvojena puta kako kod ide live, zavisno šta se mijenja:



A) Glavna aplikacija (web + API)


ti/agent napišeš kod  ->  PR na GitHub  ->  merge u 'main'
                                              |
                          GitHub javi Google Cloud Build-u (preko "konekcije")
                                              |
                Cloud Build sagradi Docker image + prođe GATE-ove (security, testovi)
                                              |
              STAGE:  push u 'main'  -> trigger 'bilko-stage-auto-deploy'  -> stage mašine
              PROD:   semver tag (npr. v0.2.66) -> trigger 'bilko-main-deploy' -> prod mašine



Gate-ovi = automatske provjere prije nego se išta pusti: security skener (Trivy), testovi, lint. Ako bilo koji padne — deploy se zaustavi. To je dobro (štiti prod), ali znači da jedan pokvaren gate blokira SVE.



B) Landing stranice (marketing: bilko.cloud, bilko.io, bilko.company)


to su STATIČNE stranice na Cloudflare Pages (ne Cloud Run)
   bilko.cloud     = apps/landing-hr
   bilko.io        = apps/landing-io
   bilko.company   = apps/landing-ba
deploy: GitHub workflow (sad preko FORGE self-hosted runner-a, vidi Korak 3)




C) Baza (migracije)


Promjene strukture baze idu kroz Flyway migracije (V1, V2, ... fajlovi). Pokreću se automatski pri deploy-u API-ja. Nikad se stara migracija ne mijenja — uvijek nova.






KORAK 3 — Šta je POLOMLJENO i kako zaobilazimo (stanje 2026-06-09)





ProblemŠta značiZaobilaznicaPravi fix (treba CEO)



GitHub→CloudBuild konekcija mrtva (#103276)
Kad mergeš u main, Google ne dobije signal -> deploy se NE pokrene sam
Deploy ručno: gcloud builds submit (upload koda direktno, preskače mrtvu konekciju, ali vrti sve gate-ove)
Popraviti konekciju treba cloudbuild.connections.update IAM dozvolu — tvoj nalog




GitHub Actions istrošen (#103304)
Privatni repo ima 2000 besplatnih min/mjesec; potrošeno -> CI + landing deploy padaju
FORGE self-hosted runner (tvoj Mac Studio, 10.0.0.2) = besplatno, neograničeno. Već radi za landinge.
Ništa nužno — resetuje se sljedeći mjesec; ili ostavi na FORGE-u zauvijek




Trivy security gate (#103315)
Našao HIGH CVE u Netty biblioteci -> blokirao sve deploye od 02:00
Bumpали Netty 4.2.13 -> 4.2.15 (riješeno)
Riješeno ✓




Orphan OAuth brand (#103296)
Stari Google OAuth brand ruši "tag" operacije na bilko-web-demo prometu
Ne koristiti tagove na bilko-web-demo prometu; --clear-tags kad treba
Obrisati brand 762788903040 (Google support)






Pouka: deploy pipeline ima nekoliko slomljenih karika koje su se nagomilale. Glavna (GitHub konekcija) treba tvoju IAM dozvolu. Dok se ne sredi, deploy je ručni preko gcloud builds submit.






KORAK 4 — Kako se korisnici LOGUJU (Entra-only)


Bilko više NEMA email+lozinka login. Sve ide preko Microsoft Entra External ID (CIAM):







KORAK 5 — Baze i čišćenje (2026-06-09)


Prod baza (bilko-demo-db) je očišćena: sa 167 firmi / 173 korisnika -> 2 firme / 3 korisnika. Obrisano: 161 test-artefakt + 3 mrtva seed orga. Tvoj nalog alem@alai.no migriran na čistu firmu "ALAI Holding AS". Backup napravljen prije (1781031619853) — rollback uvijek moguć.






KORAK 6 — Kako TI testiraš







Vezani MC taskovi


#103300 (prod topologija), #103276 (GitHub konekcija), #103304 (GitHub Actions billing), #103296 (OAuth brand), #103315 (Netty CVE), #103313 (CEO bug-bash), #103308 (landing deploy-dir).
                                




Bilko Observability (GCP-native) 2026-06-10


Status


LIVE and Proveo-verified as of 2026-06-10. GCP project tribal-sign-487920-k0, region europe-north1. MC #103329 (FlowForge implementation) + MC #103331 (Proveo independent verification). Parent MC #103328.



Related: Bilko Sentinel — Tier-0 Self-Healing Agent 2026-06-10



Environment Topology


The naming is deliberately confusing due to legacy reasons — read carefully:



  
    
Logical roleCloud Run servicesCloud SQL instanceURLsNotes

  
  
    

      PROD (customer trial)
      bilko-api-demo, bilko-web-demo
      bilko-demo-db
      app.bilko.cloud / bilko-demo.alai.no
      Named "-demo" for legacy reasons. This is the functionally live surface — real customer self-serve trial traffic.
    

    

      STAGE (internal CI/E2E)
      bilko-api-stage, bilko-web-stage
      bilko-staging-db
      bilko-*-stage.run.app
      Internal only. Used for CI validation and E2E test runs. Not customer-facing.
    

    

      Reserved shell (dormant)
      bilko-web (rev 00001)
      bilko-db
      N/A
      Dormant. Excluded from all alerting. Do not SLO-bind until activated.
    

  




Uptime Checks (4 active)



  
    
#Display nameHost / PathPeriodRegionsEnv

  
  
    

      1
      Bilko Web Prod (app.bilko.cloud)
      app.bilko.cloud /
      60s
      EUROPE, USA_VIRGINIA, ASIA_PACIFIC
      prod
    

    

      2
      Bilko API Prod (app-api.bilko.cloud/api/v1/health)
      app-api.bilko.cloud /api/v1/health
      60s
      EUROPE, USA_VIRGINIA, ASIA_PACIFIC
      prod
    

    

      3
      Bilko Web Stage
      bilko-web-stage-dh4m46blja-lz.a.run.app /
      300s
      EUROPE, USA_VIRGINIA, ASIA_PACIFIC
      stage
    

    

      4
      Bilko API Stage
      bilko-api-stage-dh4m46blja-lz.a.run.app /api/v1/health
      300s
      EUROPE, USA_VIRGINIA, ASIA_PACIFIC
      stage
    

  



Note on API health check: app-api.bilko.cloud (Cloudflare proxy) returns HTTP 405 on GET — this is expected. The actual Cloud Run service returns 200. The uptime check accepts both 200 and 405.



Alert Policies (7 active, MC #103329)



  
    
Policy nameServices / instancesThresholdPolicy ID

  
  
    

      Bilko Prod — HTTP 5xx rate high on bilko-api-demo
      bilko-api-demo
      >1% 5xx rate over 5-min window (ALIGN_RATE, REDUCE_SUM)
      11502345168057990272
    

    

      Bilko Prod — HTTP 5xx rate high on bilko-web-demo
      bilko-web-demo
      >1% 5xx rate over 5-min window
      13840551641108771864
    

    

      Bilko Prod — Request latency P95 high on prod services
      bilko-api-demo, bilko-web-demo
      API P95 >3000ms; Web P95 >5000ms
      13840551641108772022
    

    

      Bilko Prod — Container restart/crash on prod services
      bilko-api-demo, bilko-web-demo
      starting-state instance count MEAN >3 in 5-min window (crash-loop indicator)
      10038710534975650645
    

    

      Bilko — Cloud SQL CPU utilization high (prod + stage)
      bilko-demo-db, bilko-staging-db
      bilko-demo-db >70% CPU for 5min; bilko-staging-db >85% for 5min
      1002243302492516643
    

    

      Bilko Prod — Cloud SQL connections near max on bilko-demo-db
      bilko-demo-db
      num_backends >20 (80% of max 25 for db-f1-micro)
      606613461467816964
    

    

      Bilko Prod — Uptime check failed
      app.bilko.cloud, app-api.bilko.cloud
      REDUCE_COUNT_FALSE >1 for 120s duration (2+ regions failing)
      8433909893104140357
    

  



There is also one pre-existing legacy policy from MC #103245: Bilko CIAM — High 429 rate on bilko-api-demo (policy ID 4279915624784430014), kept and already had Slack+email attached.



Notification Channels



  
    
ChannelTypeGCP channel IDAttached to

  
  
    

      Slack #ceo (ALAI workspace T0AELHU0E13)
      Slack (GCP-native OAuth)
      17620748118296880307
      All 7 MC#103329 policies + legacy CIAM policy
    

    

      alem@alai.no
      Email
      16578157527237754053
      All 7 MC#103329 policies
    

    

      dev@alai.no
      Email (pre-existing)
      2103834221134748174
      All 7 MC#103329 policies
    

  




Dashboard


Display name: Bilko Observability — Prod + Stage (MC #103329)

Dashboard ID: 070613fa-a0b6-41e1-8606-ccdf0e52a87a

Open in GCP Console


Dashboard tiles:




Proveo Verification (End-to-End Alert Delivery)


Proveo (MC #103331) ran an independent end-to-end proof:



Verdict: PASS.



IAM Note


No new IAM bindings were created. All setup used gcloud monitoring commands only. The existing alai-cli-deployer service account already held Monitoring Admin role.



Tuning and Maintenance


Adding or modifying an alert policy


# List all policies
gcloud monitoring policies list --project=tribal-sign-487920-k0

# Describe a specific policy (by ID)
gcloud monitoring policies describe POLICY_ID --project=tribal-sign-487920-k0

# Update a threshold (edit JSON/YAML and update)
gcloud monitoring policies update POLICY_ID --policy-from-file=policy.json --project=tribal-sign-487920-k0

# Create a new policy from file
gcloud beta monitoring policies create --policy-from-file=new-policy.json --project=tribal-sign-487920-k0



Known threshold that may need raising


The bilko-demo-db SQL connections threshold (20/25) was set at 80% of the db-f1-micro max_connections=25. After a few weeks of baseline data, consider whether to raise the instance tier (which raises max_connections) or adjust this threshold. Check current connection count:


gcloud monitoring time-series list \
  --filter='metric.type="cloudsql.googleapis.com/database/postgresql/num_backends" AND resource.labels.database_id:"bilko-demo-db"' \
  --project=tribal-sign-487920-k0 \
  --freshness=5m



Supersedes


This page supersedes docs/infrastructure/MONITORING.md v1.0 (2026-02-25), which described the Railway/Vercel/Express era with PLANNED Sentry/BetterStack. That file has been updated with a superseded header pointing here. See also Bilko Sentinel — Tier-0 Self-Healing Agent 2026-06-10 for the detection and diagnosis agent built on top of this observability layer. Discussion note: docs/infrastructure/OBSERVABILITY-DISCUSSION-2026-06-09.md.
                                




Bilko Sentinel — Tier-0 Self-Healing Agent 2026-06-10


Status


LIVE and Proveo-verified as of 2026-06-10. MC #103337 (AgentForge implementation) + MC #103337 Proveo independent verification. Parent MC #103328. Dynamic policy discovery added MC #103420 (2026-06-11).


Related: Bilko Observability (GCP-native) 2026-06-10Tier-1 (bounded auto-remediation, SHADOW): Bilko Sentinel Tier-1 (Shadow-First) 2026-06-11 — the GCP alert layer this agent reads from.



What It Is


Bilko Sentinel is a read-only ops agent that runs on ANVIL every 3 minutes. It follows a four-stage pipeline:


    
  
  1. Detect — at cycle start, dynamically discovers all enabled GCP Monitoring alert policies via gcloud alpha monitoring policies list (SA alai-cli-deployer, quota project). Normalizes each conditionThreshold into the evaluator’s internal shape, then evaluates the last 6 minutes of time-series data against every condition. The policy set is cached for 5 minutes (bilko-sentinel-policy-cache.json) to avoid hammering the API every 180-second cycle. If the fetch fails, falls back to the embedded list and logs a WARN — never crashes, never goes silently blind. Currently evaluates 9 policies (13 conditions).
    2. 
  
  2. Enrich — on a breach, fetches recent Cloud Run logs and the current revision/traffic split for the affected service.
    3. 
  
  3. Diagnose — calls FORGE Ollama (qwen2.5:7b-instruct-q8_0 at 10.0.0.2:11434) with a structured JSON prompt (temperature 0.1) to produce a root-cause hypothesis and recommended action. Falls back to a deterministic template per cause category if Ollama is unreachable.
    4. 
  
  4. Propose — posts exactly one structured proposal per unique incident to Slack #ceo and email alem@alai.no. Deduplicates by incident key; does not re-notify the same breach for 24 hours.
    5. 



It never changes anything. Proveo independently verified: zero mutating verbs, no GCP mutations of any kind (no run deploy, no set-iam-policy, no SQL writes, no secrets writes). The only HTTP POST in the script goes to the Ollama local inference endpoint, not to googleapis.com. The gcloud alpha monitoring policies list call added in MC #103420 is a read-only list operation — forbidden-verb scan still returns 0 matches (verified by AgentForge evidence proof_5).



Infrastructure



  
    
ComponentLocation

  
  
    
Script/Users/makinja/system/tools/bilko-sentinel.js

    
LaunchAgent plist/Users/makinja/Library/LaunchAgents/com.alai.bilko-sentinel.plist

    
State file (dedup)/Users/makinja/system/state/bilko-sentinel-state.json

    
Policy discovery cache/Users/makinja/system/state/bilko-sentinel-policy-cache.json — 5-min TTL

    
Audit log/Users/makinja/system/logs/bilko-sentinel-audit.jsonl

    
Run log/Users/makinja/system/logs/bilko-sentinel.log

    
HostANVIL (makinja local Mac)

    
Schedule180-second interval, RunAtLoad=true

    
Node.js path/opt/homebrew/bin/node

  




Policies Monitored — Dynamic Discovery (9 policies, 13 conditions)


As of MC #103420 (2026-06-11), the Sentinel dynamically discovers all enabled GCP alert policies each cycle. The list below reflects the 9 policies currently active. Any policy added to GCP Console or via FlowForge is automatically picked up without a code change.


    
  
  1. Cloud SQL CPU utilization high (prod + stage)
    2. 
  
  2. Container restart/crash on prod services
    3. 
  
  3. HTTP 5xx rate high on bilko-api-demo
    4. 
  
  4. HTTP 5xx rate high on bilko-web-demo
    5. 
  
  5. Request latency P95 high on prod services (API + Web — 2 conditions)
    6. 
  
  6. CIAM — High 429 rate on bilko-api-demo
    7. 
  
  7. Cloud SQL connections near max on bilko-demo-db
    8. 
  
  8. Uptime check failed (app.bilko.cloud + app-api.bilko.cloud — 2 conditions)
    9. 
  
  9. Bilko API Demo — Backend ERROR log rate (bilko_api_demo_error_count, policy #2342970117877340710, added MC #103364) — this policy was missed by the old hardcoded list and is what prompted MC #103420
    10. 



Condition type support: conditionThreshold (metric threshold) — fully evaluated; covers all 9 current policies. conditionAbsent and other types — logged and skipped, cannot fire false positives.



Severity Scale



  
    
LabelMeaning

  
  
    
P1-DOWNService is down or uptime check failing

    
P2-DEGRADEDElevated error rate or restart loop

    
P3-WARNLatency spike, DB pressure, CIAM abuse rate

  




Notification Format


Every proposal contains:



Dedup key format: bilko-{policyId[-8:]}-{condId[-8:]}. Once notified, silent for 24 hours on the same condition.



Proveo Verification Summary


Proveo (MC #103337) independently verified all critical properties:



  
    
PropertyMethodResult

  
  
    
Read-only guaranteeExhaustive grep of all spawnSync calls and HTTP methodsCONFIRMED — zero mutating verbs

    
LaunchAgent loaded + healthylaunchctl list | grep bilko-sentinel — LastExitStatus=0PASS

    
Detect → Propose → Slack deliveryIndependent verifier script with synthetic threshold (2ms vs real 9.5ms P95)PASS — Slack message confirmed in #ceo at 04:24 UTC

    
Detect → Propose → Email deliverySame synthetic testPASS — Message-ID confirmed in audit DB

    
Dedup across cyclesReal 2-cycle disk-persistence test (not code inspection only)PASS — Cycle 2 silent, no second Slack message

    
Healthy = silentNormal threshold against real metric valuePASS — zero messages sent

    
No GCP mutationCloud Run revision before/after comparisonPASS — bilko-api-demo-00167-h9v unchanged

    
Read-only guarantee (MC #103420)Forbidden-verb grep: gcloud run deploy, set-iam, secrets write, policy create/update/delete — 0 matchesCONFIRMED — gcloud alpha monitoring policies list is a read-only list call

  



Honest gaps noted by AgentForge (now closed by Proveo): email exit-code quirk (fixed in script via stdout check); dedup 2-cycle test (now independently proven); Ollama not re-exercised in Proveo test (builder’s synthtest confirmed it live).



Incident-Driven Hardening (MC #103420)


On 2026-06-10, a 503 burst on bilko-api-demo fired alert policy bilko_api_demo_error_count (policy ID 2342970117877340710, added in MC #103364). The Sentinel did not fire a proposal because that policy was not in the original hardcoded list — it had been added after the Sentinel was built.


MC #103420 replaced the static list with dynamic discovery (discoverPolicies()): each cycle the Sentinel fetches all enabled policies from GCP, so any future policy added in GCP Console or by FlowForge is automatically evaluated with zero code changes. The hardcoded ALERT_POLICIES array is kept as a fallback only. AgentForge re-verified the read-only guarantee post-fix (forbidden-verb scan: 0 matches). The Tier-0 read-only contract is unchanged.



Runbook


Pause sentinel


launchctl unload ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist



Resume sentinel


launchctl load ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist



Check last run status


launchctl list | grep bilko-sentinel
# PID="-" = not currently running (between intervals). LastExitStatus=0 = healthy.

tail -20 /Users/makinja/system/logs/bilko-sentinel.log



View audit trail


tail -f /Users/makinja/system/logs/bilko-sentinel-audit.jsonl



View current policy discovery cache


cat /Users/makinja/system/state/bilko-sentinel-policy-cache.json



Add a new alert policy


Create or enable the alert policy in GCP Console (or via FlowForge). The Sentinel will automatically discover and evaluate it at the next cache refresh (within 5 minutes). No code change needed. To force an immediate pick-up, delete the cache file and wait for the next cycle:


rm -f /Users/makinja/system/state/bilko-sentinel-policy-cache.json



Tune alert thresholds


Thresholds live in the GCP alert policy definitions, not in the Sentinel script. Update the threshold in GCP Console; the Sentinel picks up the new value at the next cache refresh. To update the fallback embedded list (used only when GCP fetch fails), edit ALERT_POLICIES in /Users/makinja/system/tools/bilko-sentinel.js and reload:


launchctl unload ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist
# edit the fallback array in the script
launchctl load ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist



Tier Model and Safety Rationale


The tier model was defined after the 2026-06 IAM incident, in which an automated set-iam-policy call wiped project IAM. The lesson: any agent that can mutate production infra must earn trust via a demonstrated read-only track record first.



  
    
TierCapabilityStatusSafety gates

  
  
    

      Tier 0 — current
      Detect + Diagnose + Propose. Read-only. Posts structured proposal to #ceo and alem@alai.no. Zero blast radius.
      LIVE
      No code path to write to GCP. Proveo-verified. Dynamic discovery is a read-only list call.
    

    

      Tier 1 — future MC
      Bounded auto-remediation: Cloud Run revision rollback, instance scale adjustment, hung service restart. Circuit breaker (max N actions/hour). Full audit trail. Never touches DB schema, IAM, secrets, or financial data. Always announces before acting.
      BUILT — SHADOW (MC #103435). Calibration clock started. See Tier-1 reference page.
      Explicit CEO approval token (/tmp/bilko-sentinel-tier1-approved) required before any mutation. Separate script (bilko-sentinel-tier1.js). Only after Tier-0 proves signal quality over weeks.
    

    

      Tier 2
      Broader autonomy.
      Probably never for a prod-financial SaaS
      N/A
    

  



The IAM incident reference is intentional: Tier-1 will be built with a hard whitelist of reversible Cloud Run and scaling operations only. No set-iam-policy, no SQL DDL, no secret rotation — ever.
                                




Bilko Prod Topology — app.bilko.cloud Cutover (reuse-demo-as-prod)


Bilko Prod Topology — app.bilko.cloud Cutover (reuse-demo-as-prod)



MC: #103300  |  Completed: 2026-06-10  |  Proveo verdict: CUTOVER PASS  |  Evidence root: /tmp/evidence-103300/





CRITICAL REFERENCE — do not make assumptions about which DB is prod or what data is on it. Read this page first.








1. Topology Overview



CEO decision 2026-06-09: reuse the existing "demo" Cloud Run services and Cloud SQL instance as production. No new infrastructure was provisioned. The prior bilko-demo-* services are now the live prod environment.





DomainCloud Run ServiceStatusNotes



app.bilko.cloudbilko-web-demoReady/True, cert Ready/TruePrimary prod frontend


app-api.bilko.cloudbilko-api-demoReady/True, cert Ready/TruePrimary prod API


api.bilko.cloudHTTP 000 (CF Worker SNI issue)Pre-existing issue, separate follow-up











2. Hostname Recognition — Dual-Mode (C2, PR #334)



Three files on main now recognize BOTH app.bilko.cloud (prod) AND bilko-demo.alai.no (demo/legacy) simultaneously.





FileProd hostnameDemo hostnameVerification



apps/web/lib/api-base.tsapp.bilko.cloudhttps://app-api.bilko.cloud/api/v1bilko-demo.alai.no preserved (dual-mode)Vitest 4/4 PASS


apps/web/middleware.tsapp.bilko.cloud + .bilko.cloudbilko-demo.alai.no preservedMachine-verified on main


apps/web/i18n/request.tsapp.bilko.cloud + .bilko.cloudbilko-demo.alai.no preservedMachine-verified on main






PR #334 (feat/prod-hostname-c2-103300, HEAD c70dab73) adds the test file apps/web/test/api-base-hostname-103300.test.ts. The source changes to the three files above were already on main from prior commits. Proveo confirmed no merge conflict; safe to merge.



Landing CTAs: landing-hr CTAs already point to app.bilko.cloud. landing-io and landing-ba use #demo-form/mailto: anchors — no repoint required.






3. Backend Features Live on Prod (MC #103323)



Deployed to bilko-api-demo (now prod):





Route verification (Proveo C6-lite): Both POST /api/v1/support/tickets and GET /api/v1/admin/support/tickets return 401 (not 404) — routes are live and correctly auth-gated.






4. Prod DB State After Cleanup (C3)



Instance: bilko-demo-db (Cloud SQL, PostgreSQL 16, project tribal-sign-487920-k0, region europe-north1)

Backup anchor taken before cleanup: ID 1781094321949, status SUCCESSFUL, 2026-06-10T12:25:21Z

Cleanup executed: 2026-06-10T12:50Z by FlowForge, authorized by CEO



Organizations on prod DB — post-cleanup (1 row only)





Org IDNameClassificationStatus



d9e364ca-e7fc-48ed-a836-821bcaf79c99Bilko E2E Test OrganisationSEED/TEST — V71 migration seeded 2026-06-10KEPT — CI/Playwright infrastructure (see caveat (a) below)






Seed orgs from V13/V14/V29 migrations (sentinel UUIDs) were already absent before this cleanup — removed in a prior operation. Two real trial orgs (ALAI Holding AS 53349d6a and "unknown's Organization" 4e96b6ff / alembasic@gmail.com) were deleted per CEO authorization: "all data on bilko-demo-db is test data, no real customers."



Rows deleted in cleanup transaction





TableRows deletedMethod



organizations2Direct DELETE


users3CASCADE


entra_external_identities3Explicit DELETE (bilko_admin role required)


refresh_tokens26Explicit DELETE


chat_conversations1Explicit DELETE


logged_actions1Explicit DELETE (RLS had hidden this row from initial NO ACTION FK pre-check)


invoices1CASCADE


expenses1CASCADE


contacts1CASCADE


expense_documents1CASCADE


Total~40






Pre-commit guards 1-6: ALL PASSED. Post-commit SELECT confirmed organizations = 1 row (E2E org only).



System/catalog tables — do not touch




Restore anchor


gcloud sql backups restore 1781094321949 --restore-instance=bilko-demo-db


Backup taken 2026-06-10T12:25Z, 10 minutes before cleanup. Contains full pre-cleanup state including both deleted orgs.






5. Known Caveats and Open Follow-ups





RefIssueMCSeverity



(a)E2E test org d9e364ca (Bilko E2E Test Organisation) still on prod DB. Must be moved to staging before first external CIAM customer is onboarded.#103374M — no external customers yet


(b)Stage → prod promotion gate (C4) not yet formalized. Current gcp-deploy.yml deploys on every main push with no UAT approval step. TODO comment exists in the workflow file.#103375M — mitigated by semver tag requirement for prod deploy


(c)api.bilko.cloud returns HTTP 000 — pre-existing Cloudflare Worker Host/SNI rewrite issue, unrelated to this cutover. Direct Cloud Run URL and bilko-demo-api.alai.no both return 200. App is healthy.openL — brand URL, not a functional path


(d)SECURITY REVIEW ITEM: POST /api/v1/auth/test/session test-auth endpoint is present on the prod API surface. Flagged as Securion F7 (MC #103371). Must be removed or hard-gated before any external users are onboarded.#103371H — Securion review required









6. C5 — AI Integration



GROQ_API_KEY bound to bilko-api-demo (rev00165). AI route is live. Evidence: /tmp/alai/7d24e9bf/evidence-bilko-ai-fix/verification.json. Full functional E2E (Entra login path) is pending.






7. Verification Summary (Proveo)



Agent: Angie Jones (Proveo)  |  Timestamp: 2026-06-10T15:03Z  |  Verdict: CUTOVER PASS





CheckResultDetail



app.bilko.cloud HTTP 200PASScurl confirmed


bilko-demo-api.alai.no /api/v1/health HTTP 200PASScurl confirmed


PR #334 — hostname recognition, all 3 filesPASSdual-mode confirmed on main


Vitest api-base-hostname-103300 (4 tests)PASS4/4, 831ms


tsc --noEmit (apps/web)PASS0 errors


MC #103323 routes auth-gated (401 not 404)PASSsupport_tickets POST + GET routes live


DB clean statePASS (evidence-reviewed)SQL SELECT output in cleanup.md is authoritative; Cloud SQL proxy not available in Proveo context


PR #334 merge conflict checkPASS — no conflict5 CI-only commits on main since branch point; zero file overlap with PR files






Full Proveo report: /tmp/alai/p2p-pairing-evidence/proveo-103300-c2c6-verdict.md






8. Cutover Status Table (C1–C7)





ItemStatusOwnerNotes



C1 — domain mapping (app.bilko.cloud + app-api.bilko.cloud → bilko-web-demo / bilko-api-demo)DONEFlowForgeBoth Ready/True, cert Ready/True, HTTP 200


C2 — hostname recognition (middleware / api-base / i18n)DONECodeCraftDual-mode on main; PR #334 adds test coverage


C3 — prod DB cleaned of test/seed orgsDONEFlowForge/DB1 org remains (E2E test org d9e364ca); ~40 rows deleted; backup 1781094321949


C4 — stage → prod promotion gate formalizedPENDINGFlowForgeMC #103375


C5 — AI fix (GROQ_API_KEY on bilko-api-demo)DONERev00165, route live


C6 — Proveo end-to-end validationDONE (C6-lite)ProveoFull E2E blocked on Entra login flow; C6-lite PASS


C7 — Skillforge BookStack documentationDONESkillforgeThis page









9. Evidence Index





ArtifactPath



C1–C7 delta state/tmp/evidence-103300/cutover-state.md


DB inventory (read-only probe, pre-cleanup)/tmp/evidence-103300-c3/inventory.md


DB cleanup execution record + post-commit proof/tmp/evidence-103300-c3/cleanup.md


Proveo C2 + C6-lite verdict/tmp/alai/p2p-pairing-evidence/proveo-103300-c2c6-verdict.md


C5 AI fix verification/tmp/alai/7d24e9bf/evidence-bilko-ai-fix/verification.json



                                




Bilko Sentinel — Tier-1 Bounded Auto-Remediation (Shadow-First) 2026-06-11


Status


BUILT — SHADOW mode. MC #103435 (AgentForge build) + MC #103436 (Securion adversarial review). Parent MC #103328. Module: /Users/makinja/system/tools/bilko-sentinel-tier1.js. Tier-0 remains the active detection layer; Tier-1 is shadow-calibrating only.


Related: Bilko Sentinel Tier-0 (detection layer, LIVE) — Bilko Observability (GCP-native)


SRE rationale: DECISIONS-observability-2026-06-10.md, Decision 2 — Kelsey Hightower consult. The bar is not yet met; ship the muscle, start the calibration clock, arm only when proven.



What Tier-1 Is


Tier-1 is the agent that can fix. Where Tier-0 only detects, diagnoses, and proposes — Tier-1 computes the exact bounded action and, when armed, executes it. Permitted action set (exhaustive):



Never-automate (enforced at IAM, not policy): no IAM/policy change, no Cloud SQL op, no secret op, no DNS/LB/network, no rollback older than N-1, no action during an in-flight deploy or protected business window. Invoked by the Tier-0 loop via try/catch — any Tier-1 error is caught and logged, Tier-0 continues unaffected.



Modes (SENTINEL_TIER1_MODE)


Mode is read once at startup, immutable for the life of the process. Unrecognised or missing value resolves to shadow. The LaunchAgent plist deliberately omits the key.



  
ModeBehaviourCurrent state

  
    

      shadow (DEFAULT)
      On a breach: compute the bounded action, announce to #ceo with gate evaluation, write one row to calibration ledger. Execute nothing.
      ACTIVE
    

    

      ack
      Same as shadow, but if a human posts APPROVE in the #ceo thread within 3 min, execute the action (all 8 gates must pass). Slack poll loop is a follow-on — currently defers conservatively. Requires F4 hardening first.
      NOT YET WIRED
    

    

      auto
      Execute automatically when all 8 gates pass and promotionBarMet() returns true. Silence in ack window = proceed. FORBIDDEN until bar met + human-engineer sign-off.
      BLOCKED (PROMOTION_BAR_NOT_MET)
    

  




Current State: SHADOW — Confirmed Inert


Securion adversarial review (MC #103436) + AgentForge build verification (MC #103435) independently confirm: in shadow mode this agent cannot mutate prod. Two independent structural barriers:


    
  
  1. handleIncident() enters an if (MODE === 'shadow') block and returns at line 852 — the execution block at line 861+ is outside and structurally unreachable.
    2. 
  
  2. executeRollback() (line 625) and executeScaleFloor() (line 675) each throw as their literal first statement when MODE === 'shadow'. Both barriers are independently sufficient.
    3. 



Live production traffic verified unchanged during shadow simulation: bilko-api-demo-00192-sfv @ 100% before and after. Auto mode tested with SENTINEL_TIER1_MODE=auto and hard-blocked with PROMOTION_BAR_NOT_MET.



8 Pre-fire Gates


ALL eight must be true before any execution in ack or auto mode. In shadow they are evaluated and recorded to the ledger only.



  
#GateDetail

  
    
1Alert sustained ≥5 minPrevents action on transient spikes. Measured from incident.firstSeenAt.

    
2Calibrated LLM confidenceRequires "high" until ≥5 ledger reviews; adjusts to "medium" with ledger data. Derived from calibration, not hardcoded.

    
3N-1 confirmed healthy ≥10 minRollback target must have been in Ready=True state for ≥10 min before the current (bad) revision. Unknown = block + escalate.

    
4No schema migration in bad revisionRequires deploy manifest (~/system/state/bilko-deploy-manifest.json). Honest block: absent manifest = BLOCK + escalate to human. Rolling back across a schema migration can corrupt data.

    
5Cooldown: no action in last 60 minOne action per 60-minute window across all types.

    
63-min human-ack windowHOLD or ABORT in #ceo thread cancels. Shadow: informational. Ack: requires explicit APPROVE. Auto: silence = proceed.

    
7IAM diff vs known-good snapshotCompares live Cloud Run service IAM policy against ~/system/state/bilko-sentinel-iam-snapshot.json. Mismatch = block + escalate. Motivated by the 2026-06 IAM wipe incident.

    
8N-1 is not itself a rollback revisionPrevents rolling back to a revision tagged as a known-bad rollback. Checked against deploy manifest isRollback flag.

  




Circuit Breakers




Promotion Bar: shadow → auto


promotionBarMet() is a hard gate on the auto path. Reads the calibration ledger at runtime — not hardcoded. Currently returns FALSE; auto path refuses with PROMOTION_BAR_NOT_MET.



  
CriterionRequiredCurrent (2026-06-11)

  
    
daysLive_gte30≥30 days since first ledger entry0 days — NOT MET

    
evaluatedProposals_gte20≥20 proposals in ledger2 — NOT MET

    
fpRate_lt5pctHuman-reviewed FP rate <5%100% default — NOT MET

    
groundTruthHit≥1 row with human_verdict=correct0 — NOT MET

    
deployManifestExists~/system/state/bilko-deploy-manifest.json presentAbsent — NOT MET

  



When the bar is eventually met, human-engineer sign-off is still required before the plist is updated to set SENTINEL_TIER1_MODE=auto. That is an explicit audited step, not an automatic promotion.



Arming Prerequisites (Securion #103436 — MC #103439)


These gate arming (ack/auto), not shadow. Securion re-review required before the mode key is added to the plist.



  
FindingSeverityRequired before arming

  
    

      F5 — Ledger integrity
      HIGH
      HMAC-sign each ledger row (key stored outside ledger path). promotionBarMet() must verify HMAC before counting. Without this, forged human_verdict entries can satisfy the promotion bar and arm auto.
    

    

      F7 — SA IAM scope
      MEDIUM
      Verify alai-cli-deployer holds only monitoring.viewer + logging.viewer + run.viewer in shadow. For auto: run.developer scoped by resource condition to bilko-api-demo + bilko-web-demo only. Must NOT hold cloudsql.*, iam.*, secretmanager.*, dns.*.
    

    

      F4 — Ack approver allowlist
      INFO
      Before Slack poll loop is wired: define constant with allowed Slack user IDs. Poll must verify message.user + thread_ts — not just message text.
    

    

      F6 — IAM snapshot seal
      MEDIUM
      chmod 0444 after first write. Add sealed flag; require manual unsealing for reset. Populate bilko-web-demo immediately.
    

    

      F2 — Misleading Object.freeze
      MEDIUM
      Remove Object.freeze({MODE}) at line 57 — it freezes a discarded object, not the const binding. Replace with clarifying comment.
    

    

      F8 — Gate 8 inconsistency
      LOW
      Align Gate 8 with Gate 4: block (not warn-and-pass) when deploy manifest absent or N-1 not in manifest.
    

    

      F3 — Module integrity
      LOW
      Add startup SHA-256 check of the module file against a stored known-good value outside the module path.
    

  



All items tracked in MC #103439. Securion re-review required before mode key is added to plist.



Calibration Ledger


Every shadow proposal appends one row to /Users/makinja/system/logs/bilko-sentinel-tier1-ledger.jsonl


Row schema: { ts, incidentId, policyName, condName, resource, diagnosis, confidence, computedAction, n1Info, gates, mode, human_verdict }


The human_verdict field starts as "not-yet-reviewed". Update to: correct | wrong-rootcause | would-have-worsened. A weekly summary is posted to #ceo automatically: proposal count, reviewed count, FP rate, ground-truth hits, promotion bar status.


node /Users/makinja/system/tools/bilko-sentinel-tier1.js --weekly-summary



Infrastructure



  
ComponentLocation

  
    
Module/Users/makinja/system/tools/bilko-sentinel-tier1.js

    
Weekly summary plist/Users/makinja/system/tools/com.alai.bilko-sentinel-tier1-weekly-summary.plist

    
Calibration ledger/Users/makinja/system/logs/bilko-sentinel-tier1-ledger.jsonl

    
IAM snapshot/Users/makinja/system/state/bilko-sentinel-iam-snapshot.json

    
State file/Users/makinja/system/state/bilko-sentinel-tier1-state.json

    
Execution audit log/Users/makinja/system/logs/bilko-sentinel-audit.jsonl

    
Run log/Users/makinja/system/logs/bilko-sentinel-tier1.log

    
Single-writer lock/Users/makinja/system/state/bilko-sentinel-tier1.lock

    
GCP projecttribal-sign-487920-k0, region europe-north1

    
SAalai-cli-deployer@tribal-sign-487920-k0.iam.gserviceaccount.com

    
Allowed servicesbilko-api-demo, bilko-web-demo

    
HostANVIL (makinja local Mac) — invoked by Tier-0 loop

  




Runbook


Self-test in shadow


node /Users/makinja/system/tools/bilko-sentinel-tier1.js --self-test


Evaluate promotion bar


node /Users/makinja/system/tools/bilko-sentinel-tier1.js --promotionbar-test
# exits 0 if bar met, 1 if not


Inspect calibration ledger


tail -f /Users/makinja/system/logs/bilko-sentinel-tier1-ledger.jsonl


Re-enable after circuit-open


# Edit ~/system/state/bilko-sentinel-tier1-state.json
# Set "circuitOpen": false


Flip to ack mode (AFTER all hardening items + Securion re-review)


# Add to LaunchAgent plist EnvironmentVariables:
#   <key>SENTINEL_TIER1_MODE</key><string>ack</string>
launchctl unload ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist
launchctl load ~/Library/LaunchAgents/com.alai.bilko-sentinel.plist
                                




Bilko Observability & Self-Healing — Program Overview (MC #103328)


Bilko Observability & Self-Healing — Program Overview (MC #103328)



This is the single entry point for the entire Bilko observability and self-healing program.
It links every sub-page, states current status, and gives a quick orientation for any CEO, agent, or engineer arriving for the first time.






Environment Topology




TierCloud Run servicesPublic URLPurpose



PROD (demo)bilko-api-demo, bilko-web-demoapp.bilko.cloud / bilko-demo-api.alai.noLive trial surface — real prospects register here


STAGEbilko-api-stage, bilko-web-stagestage.bilko.cloud (internal)CI validation; masks some RLS bugs (documented lesson)


DORMANTbilko-webOld web service; superseded by bilko-web-demo





GCP project: tribal-sign-487920-k0. All observability targets bilko-api-demo and bilko-web-demo as the canonical production equivalents.






Program Arc (2026-06-09 → 2026-06-11)


    

  1. GCP-native observability baseline (MC #103329/P1-A) — Cloud Monitoring dashboard (070613fa…), latency/traffic/saturation/5xx alerts wired end-to-end.
    2. 

  2. Validation (MC #103331) — Proveo independent PASS confirming all alert signals fire correctly.
    3. 

  3. Docs (MC #103332) — Initial BookStack page published.
    4. 

  4. Sentinel Tier-0 built (MC #103337) — Read-only agent: detect → diagnose via Ollama → propose → notify. Proveo PASS. LaunchAgent running at PID 11465 (com.alai.bilko-sentinel).
    5. 

  5. CD-green + GCP error-tracking (MC #103364) — CD pipeline repaired; error log metric + alert added. Threshold tuned to >3 errors/5 min after the first real incident (see below).
    6. 

  6. CIAM E2E blocking gate (MC #103365) — Playwright CIAM auth-lifecycle spec added as a mandatory blocking step in the deploy pipeline. Proveo two-sided PASS (green + fails-on-broken).
    7. 

  7. CRITICAL security review (MC #103369, Securion) — /auth/test/session endpoint on bilko-demo-api found to accept arbitrary email → impersonation risk (F7 = CRITICAL). Full findings + F7 remediation path issued.
    8. 

  8. F7 security fix deployed (MC #103371) — Email whitelist, constant-time compare, 5/min rate-limit, Sentry audit. Verified live: attacker email → 403, seeded email → 200. CIAM E2E gate now 3/3 (F7-WHITELIST-GATE added). PR #330 merged, PR #332 (gate) merged.
    9. 

  9. First real incident handled (503, 2026-06-10) — Transient 503s during Cloud Run revision cutover/scale-from-zero (not a code bug). Alert pipeline worked. Threshold tuned >0 → >3. See Security & Decisions page for full post-mortem.
    10. 

  10. Sentinel dynamic-discovery fix (MC #103420) — Sentinel was missing the error-count policy (hardcoded list). Fixed to live gcloud discovery + 5-min cache + embedded fallback. 9 policies now evaluated each cycle, 13 conditions total.
    11. 

  11. Tier-1 shadow (MC #103435) — Shadow-only armed auto-remediation module built. Structurally inert (dual barrier confirmed by Securion). Will NOT be promoted to ack/auto without clearing the promotion bar.
    12. 

  12. Securion Tier-1 review (MC #103436) — Parisa Tabriz lens review. Shadow inert confirmed. 8 findings; 3 must be resolved before ack/auto (F5 HMAC ledger, F7 SA IAM scope, F4 ack allowlist). See Security & Decisions page.
    13. 

  13. Tier-1 arming prerequisites (MC #103439) — Hard blockers catalogued. Tier-0 calibration clock starts now. Review at 30 days.
    14. 

  14. Dashboard maturity roadmap (MC #103393) — Backlog. SLOs, error-rate tiles, distributed tracing, business metrics. CEO decision: document now, build before meaningful paying-customer volume.
    15. 







Master Status Table




MCTitleStatusEvidence / Notes



#103329 (P1-A)GCP-native observabilityDONE — Proveo PASSDashboard 070613fa…; alerts wired


#103331ValidationDONE — Proveo PASSAll alert signals verified


#103332Docs (initial)DONEPage 3101 published


#103337Tier-0 Sentinel buildDONE — Proveo PASSLaunchAgent PID 11465 live


#103364CD-fix + error-trackingDONEThreshold >3/5min after 503 incident


#103365CIAM E2E blocking gateDONE — Proveo PASS2-sided proof; gate blocks on broken


#103369Securion test-endpoint reviewDONE — verdict MOVE_OFF_PROD (pre-fix); overridden post-F7 fix per Decision 1/tmp/evidence-103369/verification.json


#103371F7 security fixDONE — Proveo PASSPR #330+#332 merged; 3/3 gate; live proof attacker→403


#103393Dashboard maturity roadmapBACKLOG (not-now)SLOs, tracing, business metrics — before real paying customers


#103420Sentinel dynamic-discovery fixDONE — AgentForge PASS9 policies, 5-min cache, embedded fallback


#103435Tier-1 shadow buildDONE — shadow inertDual barrier; Securion review attached


#103436Securion Tier-1 reviewDONE — HARDENING_REQUIRED before ack/auto8 findings; F5/F7/F4 block arming


#103439Tier-1 arming prerequisitesIN PROGRESS — calibration clock running30-day / 20-proposal bar; see Decisions page









Key Live URLs







Documentation Map




PageWhat it covers



Page 3101 — Bilko Observability (GCP-native)Cloud Monitoring setup, dashboard tiles, alert policies, runbook for each alert type


Page 3102 — Bilko Sentinel Tier-0Tier-0 agent design, how detect/diagnose/propose/notify works, LaunchAgent config, audit log path


Page 3106 — Bilko Sentinel Tier-1 (shadow-first)Tier-1 architecture, shadow barriers, action set, circuit breakers, pre-fire gates


This page — Program Overview (#103328)Single entry point: arc, status table, links to all sub-pages


Page — Security & Engineering DecisionsF7 security fix, CIAM gate design, first incident post-mortem, Tier-1 arming prerequisites, architectural decisions



                                




Bilko Security & Engineering Decisions (Observability Program)


Bilko Security & Engineering Decisions (Observability Program)



This page covers security findings, live fixes, engineering decisions, and arming prerequisites for the Bilko observability/self-healing program. It is a companion to the Program Overview (MC #103328) page.






1. CRITICAL Security Finding F7 and Fix (MC #103369 to #103371)



What Securion found (MC #103369, 2026-06-10)


Securion reviewed POST /auth/test/session on bilko-demo-api.alai.no (live trial API). Verdict: MOVE_OFF_PROD. Source: /tmp/evidence-103369/verification.json





IDSeverityFinding



F7CRITICALcreateTestSession() accepted arbitrary email. No whitelist. Leaked secret mints owner JWT for any registered prospect in bilko-demo-db.


F6HIGHEndpoint on live customer trial surface (app.bilko.cloud / bilko-demo-api.alai.no).


F3HIGHGeneric auth bucket 200 req/min on demo - no endpoint-specific rate-limit.


F2MEDIUMNon-constant-time string compare (Kotlin !=). Timing side-channel defect.


F5MEDIUMRLS isolates E2E tenant but F7 expanded blast radius to all demo users.


F1HIGHEndpoint always registered at startup; 404 only when secret absent.


F4LOWSecret strength operator-dependent; no enforced entropy or rotation schedule.






Fix deployed (MC #103371, 2026-06-10)


PR #330 merged. Deploy run 27272876257 success. Revision bilko-api-demo-00179-wdz at 100% traffic. Source: /tmp/evidence-103371/verification.json





RemediationWhat changed



Email whitelist (F7 closed)testEmail hard-checked against BILKO_E2E_TEST_EMAIL env var. Non-matching returns HTTP 403 BILKO-AUTH-003. DB lookup never reached.


Constant-time compare (F2)Replaced Kotlin != with MessageDigest.isEqual() on both testEmail and secret.


Dedicated rate-limit (F3)5 req/min sub-bucket for /auth/test/session, independent of AUTH_RATE_LIMIT_PER_MINUTE.


Sentry audit (F3)Sentry.captureMessage on any secret mismatch - structured event, not just warn log.


PERMANENT gateF7-WHITELIST-GATE test added to ciam-auth-lifecycle.spec.ts (PR #332). Deploy pipeline now 3/3 tests; blocks on whitelist regression.






Live proof (Proveo independent verification)


Source: /tmp/verify-103371/verification.json and /tmp/evidence-103371/verification.json




ProbeExpectedGotResult



valid secret + non-whitelisted email (attacker@example.com)403403PASS


valid secret + seeded E2E email200200PASS


wrong secret + seeded email401401PASS





Deploy run 27274186928 (post-gate PR): success, 3/3 passed, F7-WHITELIST-GATE active.



Residual open findings (fix before first real paying customers)







2. CIAM E2E Blocking Gate (MC #103365)



Design


A Playwright spec (apps/e2e/tests/ciam-auth-lifecycle.spec.ts) runs as a mandatory blocking step in the GCP deploy pipeline (continue-on-error: false). Targets bilko-demo-api.alai.no specifically because stage masks RLS bugs (documented lesson). Source: /tmp/evidence-103365/verification.json



Token-seed pattern: spec calls POST /auth/test/session with the 64-char BILKO_E2E_TOKEN_SECRET from GCP Secret Manager to obtain a real Bilko JWT, then exercises 9 authenticated steps:


    

  1. POST /auth/test/session - 200 (JWT minted)
    2. 

  2. GET /auth/me - 200 (email + RLS identity confirmed)
    3. 

  3. GET /settings/users - 200 (tenant isolation: 1 user in org)
    4. 

  4. PUT /settings {vatNumber} - 200 (supplier OIB seeded)
    5. 

  5. POST /contacts - 201 (authenticated write)
    6. 

  6. POST /invoices - 201 (invoice create)
    7. 

  7. GET /invoices/{id} - 200 (RLS tenant read-back)
    8. 

  8. POST /auth/logout - 204 (refresh token revoked)
    9. 

  9. POST /auth/mobile/refresh (stale token) - 401 (revocation proven)
    10. 




Two-sided proof (Proveo)



Current state post-#103371: 3/3 tests (original 9-step spec + F7-WHITELIST-GATE). Permanent blocking gate in every future deploy.






3. First Real Incident (503, 2026-06-10)



Root cause (verified, /tmp/evidence-incident-503/finding.json)


Transient Cloud Run scale-from-zero + revision cutover blips. NOT a code bug. No outage.





Actions taken




Sentinel blind-spot exposed and fixed (MC #103420)


The incident revealed the error-count policy (ID 2342970117877340710, "Bilko API Demo - Backend ERROR log rate") was not in the Sentinel's hardcoded ALERT_POLICIES list. The Sentinel was silently blind to it. Source: /tmp/evidence-103420/verification.json



Fix: live gcloud alpha monitoring policies list dynamic discovery with 5-minute on-disk cache (~/system/state/bilko-sentinel-policy-cache.json) and embedded fallback. Sentinel now evaluates 9 policies / 13 conditions per cycle. Fallback WARN log emitted if gcloud fails (no silent blind spots). Cache hit log confirms the target policy on every cycle.






4. Engineering Decisions


John (AI Director) on CEO delegation. Decision 2 grounded in Kelsey Hightower (SRE) advisory consult. Canonical file: /Users/makinja/business/ALAI-Holding-AS/products/Bilko/docs/infrastructure/DECISIONS-observability-2026-06-10.md



Decision 1 - E2E test-session endpoint location


ACCEPT-WITH-HARDENING. Keep on demo. Overrides pre-fix MOVE_OFF_PROD verdict.


Why: F7 (the CRITICAL basis of MOVE_OFF_PROD) is fully remediated. Residual controls are strong (64-char secret, constant-time compare, 5/min rate-limit, Sentry audit, F7-WHITELIST-GATE). Demo is where RLS coverage lives; moving to stage forfeits the gate's purpose. No real customers yet; LOW residual risk.


Future trigger: before meaningful real-customer volume, migrate to a dedicated ephemeral no-traffic Cloud Run revision. Rotate secret on schedule.



Decision 2 - Tier-1 auto-remediation


Do NOT enable Tier-1 now. Stay Tier-0 (read-only). Earn promotion via the bar below.


Grounding: recent agent-caused production incidents (IAM wipe; F7 hole introduced by an agent's own change); Tier-0 is hours old, zero signal calibration; Cloud Run rollback is not migration-aware on a financial system.



Kelsey Hightower (SRE) consult


Independent conclusion: automated remediation is justified only after (a) calibrated track record of correct proposals, (b) migration-safe rollbacks, and (c) action set signed off by a human engineer. The promotion bar operationalizes this.



Promotion bar: Tier-0 to Tier-1 (ALL must be true)


    

  1. 30+ days Tier-0 live AND 20+ evaluated proposals (extend window until 20 proposals).
    2. 

  2. Proposal false-positive rate below 5% (human verdict within 24h; "root cause wrong" or "fix would worsen" = FP).
    3. 

  3. ZERO proposals that would have caused a secondary incident if auto-executed.
    4. 

  4. At least 1 ground-truth case: Tier-0 diagnosed correctly, human executed that exact fix, it resolved the incident.
    5. 

  5. Schema-deploy coupling audit complete + deploy manifest records migrations per revision (rollback safety).
    6. 

  6. Synthetic Entra-CIAM auth probe added to observability (bad rollback can break auth silently).
    7. 

  7. Revisions that are themselves rollbacks are tagged (never roll back to a known-bad revision).
    8. 

  8. Tier-1 action set signed off by a human engineer (not just CEO).
    9. 




Tier-1 permitted actions (enforced, not advisory)







5. Tier-1 Arming Prerequisites (MC #103439, Securion MC #103436)


Source: /tmp/evidence-103436/verification.json. Securion verdict: HARDENING_REQUIRED.


Shadow is structurally inert today. Dual barrier confirmed: (1) handleIncident() returns before execution block when MODE==='shadow'; (2) executeRollback and executeScaleFloor throw as their first statement in shadow. Two independent mechanisms. No mutation path exists in shadow.



Hard blockers before ack or auto mode




FindingSeverityRequired fix before arming



F5 - Ledger has no integrity protectionHIGHbilko-sentinel-tier1-ledger.jsonl is writable and unsigned. Forged human_verdict entries could satisfy the promotion bar. Fix: HMAC-sign each row; verify on read. BLOCK ack/auto until done.


F7 - SA actual GCP IAM roles unverifiedMEDIUMalai-cli-deployer SA project-level bindings not verified at review time. In shadow: must hold only monitoring.viewer + logging.viewer + run.viewer. For auto: roles/run.developer scoped to bilko-api-demo and bilko-web-demo only (resource-level condition). Must NOT hold cloudsql.*, iam.*, secretmanager.*, or dns.* roles.


F4 - Ack poll unwired; future identity riskINFO (future MEDIUM)When ack poll is wired: approver must be verified against hardcoded Slack user ID allowlist. Channel membership not sufficient. Require thread_ts match to prevent cross-incident approval.






Additional findings (non-blocking for shadow)




FindingSeveritySummary



F6 - IAM snapshot bootstrap windowMEDIUMSnapshot can be deleted to force re-baseline. Seal after first write; alert on deletion/recreation.


F2 - Object.freeze({MODE}) is a no-opMEDIUMMisleading call; remove or replace with comment. MODE is immutable by JS const semantics in strict mode.


F8 - Gate 8 inconsistent with Gate 4LOWGate 8 warns-and-passes when deploy manifest absent; Gate 4 blocks. Align to block.


F3 - Module integrity not checked at loadLOWAdd SHA-256 startup integrity check for Tier-1 module path.


F9 - Tier-1 missing execute bitLOWchmod +x /Users/makinja/system/tools/bilko-sentinel-tier1.js (cosmetic, no runtime impact).






Current state: Tier-1 running in shadow mode. All proposals logged to ~/system/logs/bilko-sentinel-tier1-ledger.jsonl. Calibration clock started. Review at 30 days / 20 proposals.
                                




Bilko Backoffice — Support & Fix Loop Runbook


Bilko Backoffice — Support & Fix Loop Runbook



Scope: Operational runbook for ALAI staff handling live customer problems on app.bilko.cloud.

Environment: backend bilko-api-demo, frontend bilko-web-demo, database bilko-demo-db (GCP Cloud Run / Cloud SQL).

Related pages: BookStack 3100 (Backend MVP), BookStack 3104 (Prod Topology).

MC: #103327 (docs), parent #103322 (Support & Fix Loop feature).






1. Overview — The Support Loop



The support loop is the full chain from a customer-visible error to a closed ticket:



    
  
  1. Error occurs — The customer hits an accounting error in the browser (e.g. an invoice save fails, a VAT calculation returns 500).
    2. 
  
  2. Toast notification — The frontend renders an error toast with the errorCode (e.g. INFRA_001) and a Report this problem CTA button. The toast carries the requestId and errorCode from the RFC 7807 ProblemDetail response body — not from response headers.
    3. 
  
  3. SupportIntakeForm Dialog — Clicking the CTA opens a focus-trapped role=alertdialog Dialog (never embedded in the toast itself). The form pre-fills the errorCode, requestId, and a contextBundle (10 allowlisted fields: IDs and codes, no PII).
    4. 
  
  4. Ticket submissionPOST /support/tickets creates a row in support_tickets (V73 migration). The backend validates the contextBundle allowlist server-side before insert. On duplicate (org_id, request_id) the API returns HTTP 409 and the form shows "A ticket for this error has already been filed."
    5. 
  
  5. Admin queue — Staff open /admin/support (Admin Support Queue page) to see all open tickets, paginated 50 per page, filterable by status.
    6. 
  
  6. Triage — Staff click a ticket to open the detail view (/admin/support/{id}), read the contextBundle, customerDescription, and join to the audit trail by request_id.
    7. 
  
  7. Impersonate — From the detail view, staff start a time-limited impersonation session (read-only, reason pre-locked to support:{ticketId}) to reproduce the issue in the customer's org context. All actions during impersonation are audited.
    8. 
  
  8. Fix — Staff apply a fix (DB correction, config change, user education) using safe data-correction procedures.
    9. 
  
  9. Status transition — Staff PATCH /admin/support/tickets/{id} to advance the ticket status. Every status change writes an audit_log row with the request_id threaded through.
    10. 
  
  10. Close — Ticket moves to RESOLVED (then optionally CLOSED). Both require a resolutionNote.
    11. 




Note: This is a human admin triage queue. There is no automated resolution. No AI agent writes to triage_json at MVP — that column is reserved for V2 AI triage scope.






2. Component Map



2.1 Sentry Capture — apps/api/.../plugins/Sentry.kt





2.2 StatusPages — apps/api/.../plugins/StatusPages.kt





2.3 V72 — audit_log.request_id



Migration: apps/api/src/main/resources/db/migration/V72__audit_log_request_id.sql





2.4 V73 — support_tickets table



Migration: apps/api/src/main/resources/db/migration/V73__support_tickets.sql




  
    
ColumnTypeNotes

  
  
    
idUUID PKDEFAULT gen_random_uuid()

    
org_idUUID NOT NULLFK to organizations.id, CASCADE DELETE

    
user_idUUID NOT NULLFK to users.id

    
error_codeTEXT nullablee.g. INFRA_001

    
request_idTEXT nullableCorrelation ID from originating failed request. NOT a FK to audit_log.request_id — join via equality.

    
context_bundleJSONB NOT NULL10-key allowlist: requestId, errorCode, httpStatus, instancePath, orgId, userId, appRoute, planTier, country, auditRef. CHECK jsonb_typeof = 'object'. Server-side validated.

    
customer_descriptionTEXT nullableFree text from customer, min 10 chars (enforced frontend)

    
statusTEXT NOT NULLCHECK IN (OPEN, TRIAGED, IN_PROGRESS, RESOLVED, CLOSED). Default OPEN.

    
triage_jsonJSONB nullableV2 AI triage output. NULL = not yet triaged at MVP.

    
created_atTIMESTAMPTZ NOT NULLDEFAULT now()

    
updated_atTIMESTAMPTZ NOT NULLAuto-updated by trigger on BEFORE UPDATE.

    
resolution_noteTEXT nullableRequired for RESOLVED/CLOSED (enforced in route handler)

    
external_refTEXT nullableV2 Zendesk/Linear sync reference. Blank at MVP.

  




Idempotency: UNIQUE INDEX idx_support_tickets_org_request_id_unique ON support_tickets(org_id, request_id) WHERE request_id IS NOT NULL — one customer request produces at most one ticket. Returns HTTP 409 on violation.



Status transitions (enforced in route handler, not DB):




RLS policies:




2.5 SupportTicketRoutes — apps/api/.../routes/SupportTicketRoutes.kt




  
    
EndpointAuthNotes

  
  
    
POST /support/ticketsJWT (customer)Creates ticket. org_id/user_id from BilkoPrincipal — NOT from request body. contextBundle server-side allowlist validated. Returns { id, status: "OPEN" }.

    
GET /admin/support/ticketsPlatform adminPaginated list. Query params: limit (1–100, default 50), offset, status (optional filter), orgId (optional filter). Returns { data, meta: { total, limit, offset } }.

    
GET /admin/support/tickets/{id}Platform adminSingle ticket detail.

    
PATCH /admin/support/tickets/{id}Platform adminStatus transition + optional resolutionNote, triageJson, externalRef. Invalid transitions → HTTP 422. Every status change writes an audit_log row.

  




2.6 Frontend — SupportIntakeForm



Source: apps/web/components/support/SupportIntakeForm.tsx





2.7 Frontend — Admin Support Queue



Source: apps/web/app/(admin)/admin/support/page.tsx and [id]/page.tsx








3. Operator Workflow



Step 1 — Find the ticket



    
  
  1. Navigate to app.bilko.cloud/admin/support.
    2. 
  
  2. Default view shows all tickets newest-first. Use the status filter to narrow to OPEN or TRIAGED.
    3. 
  
  3. Note the errorCode column. At MVP, most tickets will carry INFRA_001 (the generic catch-all code) until domain-specific error codes (V2 scope, MC #103333) are deployed.
    4. 




Step 2 — Read the context bundle and audit trail



    
  
  1. Click a ticket to open the detail view at /admin/support/{id}.
    2. 
  
  2. The contextBundle section shows all 10 allowlisted fields. Key fields for diagnosis:
    
      
      
    • requestId — the correlation handle. Use this to join to the audit trail and Cloud Logging.
      • 
      
    • errorCode — the error category.
      • 
      
    • httpStatus — HTTP status code of the failed request.
      • 
      
    • appRoute — the frontend route where the error occurred (e.g. /invoices/new).
      • 
      
    • orgId — the customer's organization UUID.
      • 
    
    
  
    3. 
  
  3. Join to the audit trail using the requestId:
    4. 




-- Diagnostic query: find audit rows for the failing request
SELECT
    id,
    created_at,
    portal_action,
    acting_user_id,
    payload,
    request_id
FROM audit_log
WHERE request_id = '<requestId from ticket>'
ORDER BY created_at ASC;




This query shows every audit event associated with the customer's specific failing HTTP request — impersonation starts, invoice mutations, status changes — in chronological order.



Step 3 — Triage and impersonate



    
  
  1. On the detail page, scroll to the Update Status section. Transition the ticket from OPEN to TRIAGED to signal the ticket is being investigated.
    2. 
  
  2. To reproduce the issue in the customer's org context, click Impersonate Org in the yellow panel. The impersonation dialog:
    
      
      
    • Pre-fills reason = support:{ticketId} — this field is READ-ONLY and cannot be edited.
      • 
      
    • Resolves orgId from ticket.orgId — NOT the ticketId (backend endpoint POST /admin/orgs/{orgId}/impersonate takes the org UUID).
      • 
      
    • Choose a duration (15/30/60 minutes).
      • 
    
    
  
    3. 
  
  3. Tab isolation warning: The impersonation token replaces the module-level access token (_accessToken in lib/api.ts). All tabs in this browser origin are affected for the duration of the session. A banner confirms "Impersonation active — all tabs in this origin are affected."
    4. 
  
  4. All actions during impersonation are audited in audit_log with reason = support:{ticketId}.
    5. 




Step 4 — Apply a fix



For data corrections, see Section 4 (Data-Correction Safety). For configuration or code fixes, follow the standard ALAI deployment pipeline (DEPLOY-MAP.md). After the fix is applied, end the impersonation session using the End Impersonation button. This atomically:




Step 5 — Transition and close



    
  
  1. Return to the detail view. Transition status to IN_PROGRESS (if work is ongoing) or RESOLVED (if fixed).
    2. 
  
  2. RESOLVED and CLOSED both require a resolutionNote (enforced by the API — HTTP 422 if blank). Write a brief note describing what was fixed.
    3. 
  
  3. The PATCH call audits the status change in audit_log with the admin's request_id threaded through for correlation.
    4. 
  
  4. Ticket moves to CLOSED as the final terminal state. No further transitions are possible.
    5. 







4. Data-Correction Safety



Impersonation scope





Direct data corrections (raw SQL)



If a data correction requires direct SQL on the database (e.g. correcting a journal entry double-entry imbalance, fixing a corrupted exchange rate):



    
  
  1. Run the preflight script before any SQL on prod/demo:
    
    bash scripts/ops/bilko-support-fix-preflight.sh <orgId> <ticketId>
    
    This script: creates a point-in-time backup annotation, logs the operator identity and timestamp, and prints a confirmation token required for the correction script.
  
    2. 
  
  2. Never run raw SQL on bilko-demo-db without the preflight backup pattern. Cloud SQL supports point-in-time recovery to 7-day window.
    3. 
  
  3. Double-entry corrections must preserve the ledger balance — every credit must have a matching debit. The platform enforces NUMERIC(19,4) for all monetary amounts.
    4. 
  
  4. After any direct SQL correction, run a reconciliation query to verify the affected org's trial balance still balances.
    5. 







5. Cloud Logging — Saved Views



Three saved log views are available in GCP Cloud Logging for the bilko-api-demo service:




  
    
View NamePurposeKey Filter

  
  
    

      bilko-error-by-org
      All ERROR/CRITICAL log entries for a specific org, newest-first. Use when the customer provides their org UUID and you need to see all errors in context.
      resource.type="cloud_run_revision" severity>=ERROR jsonPayload.orgId="<orgId>"
    

    

      bilko-request-trace
      All log entries for a specific requestId across all severity levels. Gives the complete request lifecycle: auth, route entry, DB queries, response. Use after reading the requestId from the support ticket's contextBundle.
      resource.type="cloud_run_revision" jsonPayload.requestId="<requestId>"
    

    

      bilko-5xx-demo
      All 5xx responses from bilko-api-demo in the last 24 hours. Use for proactive triage — catch errors before customers report them.
      resource.type="cloud_run_revision" resource.labels.service_name="bilko-api-demo" httpRequest.status>=500
    

  




To use these views: GCP Console → Cloud Logging → Log Explorer → Saved Queries. Select the relevant view, substitute the variable in angle brackets with the value from the support ticket.



Correlating a support ticket to logs:


    
  
  1. Take the requestId from the ticket's contextBundle (or from the request_id field on the ticket row).
    2. 
  
  2. Open bilko-request-trace view, paste the requestId into the filter.
    3. 
  
  3. You will see the full request lifecycle including the Kotlin [SupportTickets] structured log line that confirms when the ticket was created.
    4. 







6. Known Gaps and Follow-ups




  
    
GapDescriptionTracking

  
  
    

      Sentry DSN not provisioned
      bilko-sentry-dsn and bilko-web-sentry-dsn secrets exist in Secret Manager but are empty. Sentry is inert (no-op) in all environments until the CEO provisions the Sentry project and populates the secrets. Until then, rely on Cloud Logging for error observability.
      OCD-1 (open CEO decision)
    

    

      Error-code taxonomy V2
      Most support tickets at MVP will carry generic codes (INFRA_001, VAL_001) because domain-specific codes (e.g. BILKO-VAT-001, BILKO-FISK-001) are not yet defined. Triage is partly blind until V2 error codes land. Staff should use the appRoute and httpStatus from the contextBundle alongside the generic code to narrow the domain.
      MC #103333 (V2 error code taxonomy)
    

    

      Backend hardening follow-on
      Server-side context_bundle value length constraints (max ~256 chars per key, charset ASCII printable) are a follow-on hardening item. Current implementation enforces key allowlist but not value length.
      MC #103338 (backend hardening)
    

    

      Sentry setTag('httpStatus') minor follow-on
      The Throwable catch-all in StatusPages.kt sets scope tags requestId, orgId, and errorCode. The httpStatus tag is not yet set — the Sentry beforeSend filter uses it to suppress 4xx events, but for the INFRA_001 catch-all (always 500) this is a minor gap only. A one-line follow-on to add scope.setTag("httpStatus", "500") in the catch-all handler is tracked as a minor improvement.
      Follow-on to MC #103323
    

    

      Admin portal flash (middleware.ts)
      middleware.ts checks only for cookie presence (bilko_refresh_token or bilko_auth marker), not for the platformAdmin JWT claim. A non-admin authenticated user who navigates directly to /admin/support will see admin HTML briefly before the client-side useEffect redirect fires. The real security boundary is the backend — AdminAuthPlugin.kt enforces the claim on every API call. UI flash is a UX gap open for CEO decision.
      OCD (open CEO decision)
    

    

      Customer-facing ticket status
      Customers have no way to view the status of their submitted ticket or receive a notification when it is resolved. The backend POST /support/tickets returns the ticket ID; a customer-facing GET /support/tickets endpoint and notification flow are deferred to V2.
      V2 scope
    

  







Published by Skillforge (MC #103327). Complements BookStack 3100 (Backend MVP) and BookStack 3104 (Prod Topology). Last updated: 2026-06-11.
                                




Bilko Signup Jurisdiction Fix — MC #103501


Bilko Signup Jurisdiction Fix — MC #103501



Status: Branch-verified only. Merge, stage deploy, and production deploy are PENDING as of 2026-06-12.


Branch: fix/103501-oauth-jurisdiction | PR: #356 | Commits: 418a35f0, 9e05e5c6


Mesh record: mesh-thr-6a18851a-476c-4aff-a6c9-92665d35fb3f






1. Root Cause


The PostgreSQL function bilko_auth.provision_user_with_org had the org's country column hardcoded to 'BA'. During a Google or Entra OAuth signup, the Ktor backend called this function without passing any jurisdiction context. As a result, a user who signed up on bilko.cloud (Croatia) received an organisation record with country='BA' (Bosnia), even though the frontend MarketContext.tsx correctly pinned that domain to Croatia (HR, 25% PDV).


This created a silent jurisdiction mismatch: the backend would apply BA fiscal rules (17% PDV) while the UI presented HR rules (25% PDV). The bug only surfaced for OAuth signups; email/password signups were not affected by the same code path.



2. Domain → Jurisdiction Resolution Table


The new JurisdictionResolver.kt provides the canonical mapping. The same mapping is mirrored in apps/web onboarding/page.tsx (region-confirm step) and was already in MarketContext.tsx.




  
    

      Domain (request Host)
      Country
      Base Currency
      Language
    

  
  
    

      bilko.cloud
      HR
      EUR
      hr
    

    

      bilko.io
      RS
      RSD
      sr
    

    

      bilko.company
      BA
      BAM
      bs
    

    

      Unknown / fallback
      BA
      BAM
      bs
    

  




Notes:




3. Fix Summary



3.1 New file: JurisdictionResolver.kt


Encapsulates all domain → (country, baseCurrency, language) logic. Called from AuthRoutes.kt using call.request.host() before any provisioning occurs. The resolver is the single source of truth for host-to-jurisdiction mapping in the backend.



3.2 Changed: AuthRoutes.kt


Derives jurisdiction via JurisdictionResolver at the start of the Entra JIT provisioning path and threads the resolved country and baseCurrency values through to the database provisioning call.



3.3 New Flyway migration: V80


Gives bilko_auth.provision_user_with_org a new 6-argument overload that accepts country and base_currency as explicit parameters. The original 4-argument signature is preserved for backward compatibility with existing callers (defaults to BA/BAM). The migration also corrects language derivation, which was previously hardcoded to 'bs' regardless of the org's country; the new logic derives HR→hr, RS→sr, else→bs. SECURITY DEFINER and RLS are preserved unchanged.



3.4 Changed: apps/web onboarding/page.tsx


Adds a region-confirm step during onboarding that persists org.country explicitly. This provides a user-visible confirmation of the resolved jurisdiction and allows a deliberate override before the account is fully committed.



3.5 Security fix included in PR #356


During Proveo round-1 review, a bypass was identified: PUT /settings lacked an owner-only guard on the country field, meaning an admin-role user could silently change the org's jurisdiction via that endpoint. The guard was added in the same PR, restricting country writes to the org owner on both PUT /settings and PUT /organization.



4. Verification Evidence



Proveo verification — two rounds



  
    

      Round
      Result
      Findings
    

  
  
    

      Round 1
      PARTIAL
      Test-harness blocker; /settings owner-guard security gap; trailing-dot edge case not handled
    

    

      Round 2
      PASS
      All three findings resolved and re-verified
    

  




JUnit test results (branch, Testcontainers PostgreSQL)



  
    

      Test class
      Result
      Key assertion
    

  
  
    

      JurisdictionResolverTest
      18/18 PASS
      All domain mappings, trailing-dot normalization, uppercase Host, unknown-host fallback, ?country= override
    

    

      UserProvisioningWp2Test
      9/9 PASS
      T9 reads the org row from a real Testcontainers PostgreSQL instance and asserts country='HR', base_currency='EUR' for a bilko.cloud signup
    

    

      SettingsRoutesHttpIntegrationTest
      23/23 PASS
      Admin-role user receives HTTP 403 on both PUT /settings (country field) and PUT /organization (country field)
    

  




Mesh record: mesh-thr-6a18851a-476c-4aff-a6c9-92665d35fb3f



5. Backfill Plan (DOC-ONLY — requires CEO sign-off)



Scope: Organisations that were provisioned via OAuth signup through the bilko.cloud or bilko.io domain but have country='BA' in the database.


Reference file: docs/runbooks/jurisdiction-backfill-plan.md in the Bilko repo.



This plan is documentation only. No automated or manual data mutation must be executed without explicit written sign-off from Alem Basic (CEO).



Identification query (read-only)


-- Identify potentially mismatched orgs (read-only diagnostic)
SELECT o.id, o.name, o.country, o.created_at, u.email
FROM organizations o
JOIN users u ON u.org_id = o.id AND u.role = 'OWNER'
WHERE o.country = 'BA'
  AND o.created_at >= '2024-01-01'  -- adjust to known start of OAuth signup availability
ORDER BY o.created_at DESC;




Backfill procedure (requires CEO sign-off before execution)


    
  
  1. Run the identification query in a read-only transaction and export results for CEO review.
    2. 
  
  2. For each org, determine the correct jurisdiction by cross-referencing the user's signup domain from audit logs (if available) or by manual confirmation with the org owner.
    3. 
  
  3. Update via a Flyway-managed migration (versioned, reversible) — do not use ad-hoc SQL in production.
    4. 
  
  4. Re-verify affected org invoices: any invoices already issued with wrong tax rates may require credit notes and re-issue depending on the jurisdiction's accounting law. Involve a local accountant for HR and RS cases.
    5. 
  
  5. Notify affected org owners of the correction.
    6. 




Risk


Any org that has already issued invoices under the wrong jurisdiction has a fiscal compliance exposure. The data fix alone does not resolve the accounting liability — that requires domain-specific legal/accounting review per country.



6. Residual Items



Follow-on MC #103505 (non-blocker)


baseCurrency currently lacks a parallel owner-only guard on the settings/organization update endpoints. This means an admin-role user could change the base currency. Tracked as a separate non-blocking follow-on.



7. Pending Deploy Status



As of 2026-06-12, the following have NOT been completed:




Do not mark this fix as production-live until these post-deploy checks pass and evidence is recorded.






Documented by Skillforge (ALAI Knowledge & Training) — 2026-06-12. Source of truth for MC #103501 jurisdiction fix. For backfill execution, obtain CEO sign-off first.
                                




Bilko Modul B (Knjigovodstvo) — Spec + Board presuda (2026-06-13)



  TL;DR — 4/4 CONDITIONAL GO (jednoglasno). Modul B = dovršenje Modula A, ne ekspanzija. Četiri tvrda uvjeta (U1–U4) moraju biti zadovoljeni prije B-1 sprintova. Gate je komercijalni: 1 imenovan, obvezani ovlašteni računovođa kao design-partner. CEO direktiva 2026-06-13: "kreni kao da imamo računovođu" → B-1 path otvoren; U1 (Vlado posting-rule templates) u toku — MC #103530.




1. Presuda odbora — Board Verdict



Datum: 2026-06-13 · MC #103523

Članovi: Markos Zachariadis (fintech/tržište), Petter Graff (izvodljivost), Vlado Brkanić (HR domena/regulativa), Skybound (SaaS strategija)



Rezultat: 4/4 CONDITIONAL GO (jednoglasno uvjetno DA)



Nijedan NO-GO. Nijedan bezuvjetni GO. Sva četiri nezavisna glasa stigla na istu strukturu — što je sam po sebi signal: nije pristranost jednog ugla, nego konvergencija.



Zajednički zaključci (sva 4 se slažu)


    
  
  1. B nije "drugi proizvod" / premature expansion — to je dovršenje Modula A. Bez GL-a, svaka A-faktura pada u računovodstvenu crnu rupu (računovođa je ručno pretipkava). B pretvara Bilko iz "alata koji STVARA posao računovođi" u "platformu gdje računovođa živi". Vertikalna integracija unutar istog workflowa.
    2. 
  
  2. Računovođa = distribucijski kanal. Na HR/Balkan tržištu vlasnik NE bira računovodstveni softver — bira ga (ili veta) računovođa. 1 računovođa = potencijalno 30 firmi na Modulu A. To je flywheel (isti mehanizam kao Xero).
    3. 
  
  3. "Light-export" alternativa = povlačenje, ne strategija (Skybound + Markos). Cementira Bilko u trajno podređenu "feeder" poziciju, bez lock-ina, bez cjenovne poluge. Gradi se SAMO kao fallback ako uvjet ispod ne padne u 30 dana.
    4. 
  
  4. Pakiranje "2 proizvoda 1 platforma" = koherentno (Xero/QuickBooks/FreeAgent rade isto). Cijena: računovođin seat (flat) + po-firmi iznad besplatnog praga. Mapira se na postojeći feature-gate #102481. Bez arhitektonske kontradikcije.
    5. 




Četiri hard uvjeta (presjek svih glasova — moraju biti TRUE prije builda)




  
    
UvjetOpisGlasačiRok / Eskalacija

  
  
    

      U1
      Vladini posting-rule templates ISPISANI i ovjereni PRIJE prve linije B-1 koda. Ne razgovor — potpisan dokument: konto po tipu dokumenta po jurisdikciji u JSONB formatu. Bez toga B-1 ship-a s placeholder pravilima = kriva knjiga = gore od ničega.
      Markos + Petter + Skybound + Vlado
      Markos: ako nije u 3 tjedna → NO-GO
    

    

      U2
      Jedan IMENOVANI, obvezani ovlašteni računovođa kao design-partner: (a) daje posting pravila, (b) vodi praksu na B-1 MVP-u u pilotu, (c) tjedni feedback. Čak WhatsApp potvrda dovoljna na ovom stupnju.
      Skybound (gate)
      Postiže se u danima/tjednima. Ako ne padne u 30 dana → light-export fallback.
    

    

      U3
      SAMO B-1 sada (8-10 tj, 1 senior BE + 0.5 FE). B-2/B-3 ODGOĐENI dok: A stabilan (0 sev-1 bugova 60 dana), riješen domain-QA kapacitet, ≥1 PLAĆAJUĆI računovodstveni servis koristi B-1. Kill-switch (Unleash ACCOUNTING_GL_MODULE / GL_AUTO_POST) ožičen i testiran PRIJE bete.
      Petter + Vlado
      B-2/B-3 su zasebna CEO odluka tek nakon dokaza.
    

    

      U4
      Za F3 (GFI/PD/PDV obrasci prema FINA/Poreznoj): stalni ovlašteni računovođa kao "regulatory owner" na platnoj listi. Honorarni konzultant NE zadovoljava. F4 (JOPPD/plaće) = zasebna CEO odluka, NE u ovom glasu.
      Vlado (hard uvjet)
      Preduvjet za F3 fazu — ne za B-1.
    

  




Glasačka tablica




  
    
GlasačGlasKljučni uvjet

  
  
    

      Markos Zachariadis (Finverge)
      CONDITIONAL GO
      Vlado posting-rule templates zaključani PRE B-1 sprinta; referentni računovođa potpisan; A ima mjerljive klijente
    

    

      Petter Graff (CodeCraft)
      CONDITIONAL GO — B-1 ONLY NOW, B-2/B-3 DEFERRED
      8-10 tjd bounded bet; Vlado pisana pravila PRIJE prvog koda; kill-switch aktivno testiran
    

    

      Vlado Brkanić (domena)
      UVJETNO GO — F1 DA; F3 UVJETNO; F4 NE
      F3+: stalni ovlašteni računovođa na platnoj listi; VERIFY-NN runda za sve obrasce
    

    

      Skybound (SaaS strategija)
      CONDITIONAL GO
      Jedan imenovan design-partner računovođa s posting-rule obvezom PRIJE kickoffa; inače light-export fallback
    

  




Što odbor poručuje CEO-u (akcija)


Build-odluka NIJE inženjerska — gate je KOMERCIJALNI: nađi 1 obvezanog računovođu (čak WhatsApp potvrda dovoljna na ovom stupnju). To istovremeno rješava U1 (daje pravila), U2 (validira spremnost na prelazak prije 20-26 tj builda) i prvi referentni/plaćajući slučaj.


Ako CEO potvrdi imenovanog računovođu u 30 dana → B-1 ide CodeCraftu na scoping (8-10 tj). Ako ne → light-export layer kao privremeni kanal, B se revidira.



Raspon koji nije u specu (rizici koje je odbor dodao)




Jedna rečenica: A = jezgra i ulaz na tržište; B-1/F1 = GRADI (uz imenovanog računovođu + Vladina pisana pravila); B-2/B-3 = tek nakon dokaza plaćanja; F4/plaće = zasebna odluka.






2. Modul B Spec — Vizija i arhitektura



Jedna platforma, dva proizvoda


A = Bilko Fakturiranje (vlasnik firme) — postoji. B = Bilko Knjigovodstvo (OVLAŠTENI RAČUNOVOĐA, multi-org) — novo. Feature-gated preko postojeće #102481 arhitekture (Feature enum / PlanTier / FeatureMatrix — operativno; B se uključi BEZ mijenjanja postojećeg koda). Novi Stripe add-on/plan za B.



Temelj koji već postoji (tool-verificirano u repou)




GL Engine (Petter Graff)


4 nove tabele:



3 PG triggera: balance enforcement (ΣD=ΣP na POSTED), immutability (entries+postings readonly nakon POSTED).


1 servis: PostingRuleEngine — evaluira posting_rules JSONB, generira journal_postings automatski.


A→B bridge: SINHRON unutar orgTransaction (DB atomicity). Idempotencija: UNIQUE constraint → dokument se knjiži tačno jednom; edit/void = reversing entry.


Codebase disciplina (Petter): B routes ostaju u /accounting/* namespace; GlService nikada ne importira iz InvoiceService (bridge kroz domain event / DTO); Flyway migracije B prefiksovane zasebno (VN__gl_*.sql).



Kako A hrani B — auto-prijedlog temeljnice


Svaki A-dokument → auto-PRIJEDLOG temeljnice (računovođa pregleda/potvrdi, ne naslijepo):



  
    
Tip dokumentaKnjiženje (D = Duguje / P = Potražuje)

  
  
    
Izlazni računD 1200 Kupci / P 7600 Prihod + P 2400 PDV-obveza

    
Naplata (uplata klijenta)D 1000 Banka / P 1200 Kupci

    
Ulazni računD 4xxx Trošak + D 1400 Pretporez / P 2200 Dobavljači

    
Plaćanje dobavljačuD 2200 Dobavljači / P 1000 Banka

    
Putni nalogD 4200/4201 Dnevnice / P 2310 Obveza prema zaposleniku

    
Blagajnički primitakD 1020 Blagajna / P 1200 Kupci ili P 7600 Prihod

  



Mapiranje konfigurabilno po orgu; bez mapiranja → status "za kontiranje" (računovođa ručno unosi).



Faze i trud (order-of-magnitude, Petter)




  
    
FazaTrajanjeResursiSadržaj

  
  
    

      B-1 MVP
      8–10 tj
      1 senior BE + 0.5 FE
      GL shema, kontni plan UI, auto-post izlazni računi, ručne temeljnice, glavna knjiga, BRUTO BILANCA, feature-gate, Stripe add-on, opening-balance wizard
    

    

      B-2
      6–8 tj
      isti
      Ulazni računi, plaćanja, putni→temeljnice, pravi PDV obrazac, period close, salda-konti
    

    

      B-3
      6–8 tj
      isti
      GFI (bilanca/RDG/bilješke), DI+amortizacija, PD obrazac
    

    

      B-4
      8–12 tj
      TBD
      Plaće/JOPPD — ZASEBNA CEO odluka, samo iza certificirane cijevi
    

  



Ukupno bez B-4: 20–26 tj (~5–6.5 mj), gated po fazama, ne blank check.



Build vs Buy: BUILD


Nema OSS JVM double-entry s Balkan jurisdikcijom + multi-tenant RLS. Engine ~1500 linija Kotlina. Složenost je u Vladinim domenskim pravilima, ne u mehanizmu. Ništa eksterno.



Pravne granice (Vlado Brkanić)




Rizici (Petter)


    
  
  1. Posting-rule correctness (BLOKER): Vlado mora dati konta za svaki tip dokumenta po jurisdikciji; krivo pravilo = kriva glavna knjiga. Platform-admin review gate PRIJE auto-post aktivacije.
    2. 
  
  2. Double-post: DB unique constraint (entry + idempotency u jednoj tx).
    3. 
  
  3. GL query perf: composite index (org_id, account_id, created_at); materijalizirani snapshots u Fazi B-3.
    4. 
  
  4. Migracija postojećih: orgovi sredinom godine trebaju opening-balance → GL onboarding wizard obavezan u B-1.
    5. 




VERIFY NN (potrebno prije F2/F3)


PDV-K status, dnevnice iznosi, JOPPD osnovice, amortizacija udvostručenje — nije potvrđeno, FINA URL 404 (Vlado napomena). Eksplicitna VERIFY-NN runda obvezna.






3. Status odluke — CEO direktiva 2026-06-13



CEO direktiva 2026-06-13: "kreni kao da imamo računovođu" → B-1 path otvoren.



Sljedeći korak za CodeCraft (Petter): čekaj U1 (Vladine template) → B-1 scoping sprint (8-10 tj estimate).






Appendix: Sažetak individualnih glasova



Markos Zachariadis — Finverge (FinTech & tržište)


Glas: CONDITIONAL GO


Tržišna analiza: SMB bookkeeping SaaS segment u HR/BA/RS podservisiran — incumbenti (RRiF, Pantheon, Minimax, Saga) su desktop-native, single-org, bez eRačun-native workflowa. Bilko-ov wedge: računovođa dovodi 30 klijenta na platformu gdje su već (kao A korisnici) — obrnut distribucijski model od Minimaxa i fundamentalno jeftiniji za akviziciju. A→B flywheel realan, ali aktivira se kasno (tek kad A ima dovoljno penetracije da računovođe naiđu organski). Efikasni wedge pitch: "eRačun-first" — klijentovi eRačuni teku direktno u knjige bez re-unoса.


Tri hard pre-condition gate: (1) Domain input locked — Vlado potpisani JSONB konto-templates PRIJE B-1 sprinta; (2) Referentni računovođa potpisan — ovlašteni računovođa (HZRFD ili ekvivalent) kao beta partner PRIJE B-1 produkcijskog laунcha; (3) A ima mjerljive traction (preporuka: 50 plaćajućih A klijenata ILI 3 računovodstvena servisa na A).


Flip to NO-GO: ako Vlado posting-rule input nije dostupan u 3 tjedna od B-1 start datuma. Matematički balansiran ali sadržajno pogrešan GL = tiha erozija povjerenja + pravna izloženost računovođi.



Petter Graff — CodeCraft (arhitektura i izvodljivost)


Glas: CONDITIONAL GO — B-1 ONLY, B-2/B-3 DEFERRED


Arhitektura je ispravna i čista. B-1 isporučuje pravi minimalni proizvod kojim računovođa može raditi (izlazni računi, ručne temeljnice, bruto bilanca). 8-10 tjd = bounded bet; 26 tjd sada = blank check na proizvod koji još pronalazi PMF, s otvorenim A-bugovima iz UAT-a.


Glavni rizik nije u engine-u — nego u posting-rule correctness kao TRAJNOJ operativnoj funkciji: PDV stope, GFI FINA sheme, dnevnice iznosi mijenjaju se godišnje. Vlado nije na stalnom ugovoru → domenska QA kapacitet ne postoji za B-2/B-3 opseg. Uvjeti za B-2/B-3: (1) A stabilan (0 sev-1 bugova 60 dana + bank recon live); (2) Vlado na retaineru ILI stalni ovlašteni računovođa; (3) ≥1 plaćajući B-1 accounting firm.



Vlado Brkanić — Domena (HR računovodstvo/porez)


Glas: UVJETNO GO — F1 DA; F3 UVJETNO; F4 NE dok uvjet ne padne


F1 = sigurna zona (ništa ne ide državi; računovođa pregledava; bruto bilanca nije regulatorni output). F3 = visoki regulatorni rizik (GFI/PDV/PD obrasci prema FINA/Poreznoj se mijenjaju godišnje; NN/Pravilnici/FINA sheme). F4 (JOPPD/plaće) = crvena zona — ne u ovom glasu.


Jedan hard uvjet za F3: Bilko zapošljava stalnog ovlaštenog računovođu kao "regulatory owner" Modula B. Honorarni konzultant NE zadovoljava. Compliance = doživotni OPEX, ne jednokratni build trošak. Bilko na govorljivom HR tržištu — jedan bug koji 30 firmi jednog servisa pogrešno proknjiži = trajno narušeno ime.



Skybound — SaaS strategija


Glas: CONDITIONAL GO


B nije premature expansion — to je vertikalna integracija unutar istog workflowa. Računovođa = stvarni decision-maker za A-akviziciju (vlasnik ne bira software, bira računovođa). Light-export alternativa = retreat opcija, ne strategija — cementira Bilko u podređenu "feeder" poziciju bez lock-ina i bez cjenovne poluge.


Pricing model: računovođin seat (flat) + per-client-org fee iznad besplatnog praga (npr. prvih 5 orgova uključeno, zatim X BAM/mj po dodatnom orgu) — koherentno s #102481 feature-gate arhitekturom. Jedan hard gate: imenovan design-partner računovođa s posting-rule obvezom PRIJE B-1 kickoffa (čak WhatsApp potvrda dovoljna). Bez toga: light-export fallback u 30 dana. Sequencing: B-1 s design-partnerom u svakom sprintu → tek po prvom plaćajućem korisniku komercijalni push A → B-2/B-3 na temelju feedback-a.
                                




Bilko Modul B-1 — GL Foundation Build (2026-06-13)


TL;DR



  Bilko Modul B-1 GL Foundation je KOMPLETAN. Backend (commit 6efb16f9) + frontend (commiti 69c87cf3 + b1f6401a) izgradeni.
  GL subsystem je iza BILKO_ACCOUNTING_GL + GL_AUTO_POST flagova — obje default OFF globalno.
  Modul A (fakturisanje) potpuno netaknut.
  Proveo UAT PASS 20/20 (MC #103549), Vlado domain acceptance PRIHVACENO 19/19, Petter (lead) sign-off: merge GO.
  PR #369 ceka CEO merge odluku — dormantan, flag-gated, nema regresije.




B-1 ZAVRSEN (stanje 2026-06-13)




  Bilko Modul B-1 — GL Foundation je KOMPLETAN.
  Backend + frontend izgradjeni, Proveo UAT PASS (20/20), Vlado domain acceptance PRIHVACENO (19/19), Petter (lead) sign-off: merge GO.
  PR #369 je spreman za CEO merge odluku — flag-gated (BILKO_ACCOUNTING_GL default OFF), Module A potpuno netaknut, nema regresije.




Sta modul radi (iza BILKO_ACCOUNTING_GL flag, default OFF)



Backend (commit 6efb16f9)




Frontend (commiti 69c87cf3 + b1f6401a)




Tok racunovodje


    
  
  1. Otvori Kontni plan — pregled konta (logicalRole / accountCode / jurisdikcija, HR RRiF)
    2. 
  
  2. Faktura/placanje kreira DRAFT temeljnicu automatski (kada je GL_AUTO_POST ON) ili rucni unos
    3. 
  
  3. Potvrdi DRAFT → POSTED (trajna, nepromjenjiva knjizba)
    4. 
  
  4. POSTED entry se pojavljuje u Glavnoj knjizi (temeljnice pregled)
    5. 
  
  5. Bruto bilanca pokazuje ΣD=ΣC — system-level invariant verificiran trigerom i API-jem
    6. 
  
  6. Storno = nova reversing POSTED entry (append-only, original nikad ne brises; cl. 11.3 ZoR)
    7. 




Validacija



  
    
SlojRezultatDetalji

  
  
    

      Proveo UAT MC #103549
      PASS 20/20
      Puni lifecycle (DRAFT→POSTED→storno) + gate testovi (flag OFF → 404) + permission negatives (viewer → 403, unbalanced → 400). Bruto bilanca ΣD=ΣC rucno verificirano. Mesh: mesh-thr-proveo-103535-20260613T044650Z. Layer: integration + fe-build (browser odgodjeno — demo SSL nedostupan; spec commitan).
    

    

      Vlado domain acceptance
      PRIHVACENO 19/19
      Ovlasteni racunovoda. Posting-rule templates (6 dogadjaja, JSONB kontrakt), kontni plan HR, PDV razlaganje po stopi, reversing-entry semantika, append-only nepromjenjivost.
    

    

      Petter (lead) sign-off
      B-1 COMPLETE, merge GO
      Commit 6efb16f9 backend + 69c87cf3/b1f6401a frontend. 78 testova zeleno. Scope eksplicitno zatvoreno per B-1 DoD.
    

  




Iskrene ogranicenja / odgodeno na B-2




Production-activation gates (prije pravog racunovodje)


    
  
  1. Operator ukljuci BILKO_ACCOUNTING_GL = true za imenovanog pilot org (GL_AUTO_POST ostaje OFF do gate 2)
    2. 
  
  2. [VERIFY-NN] OBAVEZNO: pravna provjera na narodne-novine.nn.hr / porezna-uprava.gov.hr za 10 VERIFY-NN stavki (PDV stope/clanci) — nije opcionalno
    3. 
  
  3. Imenovan racunovoda design-partner (board U2) live walkthrough sign-off
    4. 




Status PR #369



  Merge preporuka: GO — dormantan, flag-gated, Module A netaknut, nema regresije.
  Ceka CEO merge odluku.








Architecture



Database — 5 tables, Flyway migration V84



  
    
TablePurposeKey constraints

  
  
    

      bilko_flags
      Platform kill-switch flags (no Unleash dependency). org_id IS NULL = global default; non-null = per-org override.
      Surrogate UUID PK + expression unique index uq_bilko_flags(flag_name, COALESCE(org_id, '00...00')) — required because Postgres 16 does not allow COALESCE in inline PRIMARY KEY/UNIQUE syntax.
    

    

      journal_entries
      GL header (one row per business event). Append-only per Article 11.3 ZoR.
      UNIQUE(org_id, source_type, source_document_id) — idempotency invariant. Status enum: DRAFT / POSTED / REVERSED. RLS via V75 NULLIF fail-closed canonical pattern.
    

    

      journal_postings
      GL legs (debit/credit rows). Multiple rows per entry.
      amount > 0, side IN ('DEBIT','CREDIT'). Immutability trigger fires if parent entry is POSTED/REVERSED.
    

    

      posting_rules
      Config-driven Vlado JSONB posting templates. Engine reads rules from here; never hardcodes account numbers.
      Seeded with R-1 (taxable domestic) and R-3a (EU_41 exempt) on migration. Additional rules added without code changes.
    

    

      account_mapping
      Org-configurable logical-role-to-account-code mapping. Global HR defaults seeded (9 entries). Orgs can override per jurisdiction.
      Expression unique index uq_am_org_role(COALESCE(org_id,...), jurisdiction, logical_role) — same PG16 fix pattern as bilko_flags.
    

  




Postgres Triggers — 3 enforcement points



  
    
TriggerFunctionWhat it enforcesError code

  
  
    

      trg_je_balance_check
      fn_je_balance_check
      Sum(DEBIT) == Sum(CREDIT) at the moment status transitions to POSTED. DRAFT entries are allowed to be unbalanced during assembly.
      P0002 (balance violation) / P0003 (zero postings)
    

    

      trg_je_immutability
      fn_je_immutability
      BEFORE UPDATE OR DELETE on journal_entries where OLD.status IN ('POSTED','REVERSED'). DRAFT rows remain mutable.
      P0001
    

    

      trg_jp_immutability
      fn_jp_immutability
      BEFORE UPDATE OR DELETE on journal_postings — checks parent entry status; fires if parent is POSTED/REVERSED.
      P0004
    

  




PostingRuleEngine (Kotlin)



  Located at apps/api/src/main/kotlin/no/alai/bilko/gl/PostingRuleEngine.kt.
  The engine is config-driven: it reads JSONB posting templates from the posting_rules table and resolves amounts from the incoming GlDocumentData struct.
  It never computes tax; all net/vat/gross values must originate from the Module A invoice document.



Key behaviours:




GlBridge — A to B integration point



  Located at apps/api/src/main/kotlin/no/alai/bilko/gl/GlBridge.kt.
  Called from InvoiceService.sendInvoice() inside the existing orgTransaction after the invoice transitions to SENT status.





Posting Rules — Vlado's 6 Events



  Domain contract authored by Vlado Brkanić (certified accountant, design-partner). Scope: outgoing/sales documents only, Croatian jurisdiction (HR). All amounts in EUR. Rates: 25% / 13% / 5% [VERIFY-NN čl.38].




  
    
EventDescriptionDebit legsCredit legs

  
  
    

      1 — SALES_INVOICE_ISSUED (standard)
      Taxable domestic invoice, VAT 25%, buyer Croatia. accounting_date = delivery/issue date.
      1200 Kupci HR (gross)
      7600 Prihodi HR (net), 2400 PDV obveza (vat)
    

    

      2 — Multi-rate (13%+5%)
      Same as Event 1 but VAT split across rates. Engine emits one CREDIT posting per rate, each carrying vat_rate.
      1200 (gross)
      7600 (net), 2400 @13% (vat slice), 2400 @5% (vat slice)
    

    

      3a — EU exempt (čl.41)
      B2B EU supply, zero VAT, report_target=ZP. Precondition: valid VIES VAT-ID.
      1201 Kupci EU (gross)
      7610 Prihodi EU (net) — no 2400
    

    

      3b — Export exempt (čl.45)
      Third-country export, zero VAT, not reported in ZP. Proof: customs export declaration.
      1201 (gross)
      7610 (net) — no 2400
    

    

      3c — Exempt without deduction right (čl.39/40)
      Zero VAT. vat_exemption_code preserved for B-2 pro-rata coefficient calculation.
      1200/1201 (gross)
      7600/7610 (net) — no 2400
    

    

      4 — PAYMENT_RECEIVED
      Cash inflow. Does not touch revenue or VAT accounts. Partial payment leaves receivable open.
      1000 Žiro-račun (payment.amount); 1020 Blagajna for cash
      1200 Kupci (closes receivable, closes_document_id set)
    

    

      5 — CREDIT_NOTE
      Reversal of Event 1. Reversing entry pattern — all legs inverted. source_type=CREDIT_NOTE, reverses_document_id set. No deletion of original.
      7600 Prihodi (net), 2400 PDV (vat)
      1200 Kupci (gross)
    

    

      6 — Advance (3 steps)
      
        6a Advance received: D 1000 / C 2310 (net) + C 2410 (VAT on advance). VAT liability arises on receipt [VERIFY-NN čl.30/5].

        6b Final invoice on delivery: D 1200 / C 7600 + C 2400. Revenue recognised once.

        6c Netting: D 2310 + D 2410 / C 1200. Advance VAT reversed. Result: 2310/2410/1200 net to zero; no VAT doubling.
      		
      See 6a/6b/6c
      See 6a/6b/6c
    

  




JSONB Rule Format — R-1 and R-3a examples


R-1: Taxable domestic invoice (vat_exemption_code is null):


{
  "event_type": "SALES_INVOICE_ISSUED",
  "jurisdiction": "HR",
  "match": { "vat_exemption_code": null },
  "postings": [
    { "account": "1200", "side": "DEBIT",  "amount_source": "invoice.gross", "analytic": "partner:{invoice.partner_oib}" },
    { "account": "7600", "side": "CREDIT", "amount_source": "invoice.net" },
    { "account": "2400", "side": "CREDIT", "amount_source": "invoice.vat_by_rate", "split_by": "vat_rate", "carry": ["vat_rate"] }
  ],
  "balance_assert": "sum(DEBIT) == sum(CREDIT)",
  "status_on_create": "DRAFT",
  "requires_accountant_confirmation": true
}



R-3a: EU-exempt supply (vat_exemption_code = "EU_41"):


{
  "event_type": "SALES_INVOICE_ISSUED",
  "jurisdiction": "HR",
  "match": { "vat_exemption_code": "EU_41" },
  "report_target": "ZP",
  "postings": [
    { "account": "1201", "side": "DEBIT",  "amount_source": "invoice.gross", "analytic": "partner:{invoice.partner_vat_id}" },
    { "account": "7610", "side": "CREDIT", "amount_source": "invoice.net" }
  ],
  "balance_assert": "sum(DEBIT) == sum(CREDIT)",
  "status_on_create": "DRAFT",
  "requires_accountant_confirmation": true,
  "preconditions": ["partner_vat_id_valid_vies"]
}



How to Enable the Module (Operator Runbook)



The two flags



  
    
FlagDefaultEffect when ON

  
  
    

      BILKO_ACCOUNTING_GL
      false (global)
      Enables the GL subsystem for the org. GlBridge checks this first. Without it, the engine is never called. Can be set per-org via bilko_flags (org_id non-null).
    

    

      GL_AUTO_POST
      false (global)
      When both flags are ON, GlBridge calls the engine and persists a DRAFT journal entry on every invoice send. DRAFT entries appear in the accountant's queue for review and confirmation. The system never auto-transitions a DRAFT to POSTED.
    

  




What happens when both flags are ON


    
  
  1. Invoice transitions to SENT in Module A (InvoiceService).
    2. 
  
  2. GlBridge.onInvoiceIssued() is called inside the existing orgTransaction.
    3. 
  
  3. PostingRuleEngine evaluates the invoice against JSONB rules in posting_rules.
    4. 
  
  4. A DRAFT journal entry + postings are persisted. Status = DRAFT, requiresAccountantConfirmation = true.
    5. 
  
  5. Accountant reviews the DRAFT in the (future) accounting module UI and transitions to POSTED manually.
    6. 
  
  6. If an entry already exists for this invoice (idempotency key), step 4 is a no-op.
    7. 






  This gate must pass before auto-post can go live in production.
  Vlado's domain contract contains 10 [VERIFY-NN] annotations referencing Croatian tax law articles (ZoPDV, ZoR).
  The exact Narodne Novine references must be verified against porezna-uprava.gov.hr / narodne-novine.nn.hr before any POSTED auto-entries are generated for real clients.
  This is a platform-admin review gate — do not skip.




Validation Evidence




  Proveo verdict: PASS — Angie Jones, 2026-06-13.
  Mesh thread: mesh-thr-proveo-103535-20260613T044650Z.
  Validation report: /tmp/evidence-103535/VALIDATION-REPORT-v2.md.




  Two validation rounds were required:





DB-invariant proofs (12 sub-tests on live Postgres 16)



  
    
InvariantProbeExpectedSQLStateResult

  
  
    

      Balance trigger (reject)
      POST entry with D=1000 / C=800, transition to POSTED
      Exception: "balance violation"
      P0002
      PASS
    

    

      Balance trigger (allow)
      POST entry with D=1250 / C=1250, transition to POSTED
      No exception
      
      PASS
    

    

      Idempotency
      Insert duplicate (org_id, source_type, source_document_id)
      Unique violation
      23505
      PASS
    

    

      Entry immutability (UPDATE)
      UPDATE POSTED journal_entry
      Immutability violation
      P0001
      PASS
    

    

      Entry immutability (DELETE)
      DELETE POSTED journal_entry
      Immutability violation
      P0001
      PASS
    

    

      Posting immutability (UPDATE)
      UPDATE posting row of POSTED entry
      Immutability violation
      P0004
      PASS
    

    

      Posting immutability (DELETE)
      DELETE posting row of POSTED entry
      Immutability violation
      P0004
      PASS
    

    

      DRAFT mutability
      UPDATE on DRAFT journal_entry
      No exception, persisted
      
      PASS
    

    

      +4 schema/flag proofs (tables present, indexes present, triggers present, flag seeds confirmed)
    

  




Test counts




Flag safety (GlBridgeTest 6/6)




What Is NOT Done Yet (Deferred to next B-1 slice)




                                




Bilko GCP→Azure Brand Domain Cutover (2026-06-15) — MC #103633


Bilko GCP→Azure Brand Domain Cutover (2026-06-15) — MC #103633



Context



  Trigger: GCP billing dead → all-to-Azure migration (CEO directive 2026-06-15).

  Scope: Bilko web was already on Azure; api.bilko.cloud was DOWN (HTTP 000, no DNS record). Azure PostgreSQL bilko-demo-pg already populated (63 tables, seed data) so NO DB migration needed — flip-only cutover.




What Changed



1. Cloudflare Worker Redeployment




2. DNS Record Added




3. Configuration Verification




Verification (PASS)



Health Check — All 6 Brand Domains



  
    

      Endpoint
      Status
      Response
    

  
  
    

      api.bilko.cloud/api/v1/health
      ✅ HTTP 200
      {"status":"ok","service":"bilko-api"}
    

    

      api.bilko.io/api/v1/health
      ✅ HTTP 200
      {"status":"ok","service":"bilko-api"}
    

    

      api.bilko.company/api/v1/health
      ✅ HTTP 200
      {"status":"ok","service":"bilko-api"}
    

    

      app.bilko.cloud
      ✅ HTTP 200
      Next.js HTML (lang="hr"/"sr-Latn"/"bs")
    

    

      app.bilko.io
      ✅ HTTP 200
      Next.js HTML (lang="hr"/"sr-Latn"/"bs")
    

    

      app.bilko.company
      ✅ HTTP 200
      Next.js HTML (lang="hr"/"sr-Latn"/"bs")
    

  




Origin Confirmation




Independent Verification




Rollback Procedure


If issues arise, rollback the Cloudflare Worker:


wrangler rollback --name bilko-edge-proxy --version-id 707ad1ee-038c-459a-b7aa-588772d1bd49



Open Follow-Ups (Low Priority)


    
  
  1. CSP cleanup: connect-src on app.bilko.cloud still allowlists old GCP stage URL bilko-api-stage-dh4m46blja-lz.a.run.app — cosmetic, remove in cleanup PR.
    2. 
  
  2. Worker repo commit: Commit /tmp/bilko-cf-worker/ to repo apps/edge-proxy/ (MC #100129).
    3. 
  
  3. Password rotation: Rotate bilko_admin PG password (surfaced in session transcript).
    4. 
  
  4. Service Principal: Durable SP role grant on rg-bilko-demo (blocked by harness, needs CEO terminal).
    5. 
  
  5. CI migration: Replace dead GCP Cloud Build stage CI with Azure pipeline.
    6. 









Published: 2026-06-15 | Author: Skillforge (ALAI Holding AS) | MC: #103633
                                




Bilko Azure IaC — Terraform azurerm (rg-bilko-demo)


Bilko Azure IaC — Terraform azurerm (rg-bilko-demo)



MC: #103720 (child of #103715)

Status: Converged (terraform plan = no changes)

Branch: feat/103715-azure-terraform-iac → PR #380

Date: 2026-06-16



Overview



Context: GCP project billing exhausted → Bilko migrated to Azure. Azure side had ZERO IaC (14 resources hand-created via az CLI). This created drift risk, manual errors, and no audit trail.



Solution: Entire rg-bilko-demo resource group (~23 resources) now under Terraform azurerm provider. Infrastructure is declarative, version-controlled, and reproducible.



Current state: terraform plan returns "No changes. Your infrastructure matches the configuration." (fully converged).



Architecture



Azure Topology





Resource Inventory







Resource
Name
Type/SKU
Notes






Resource Group
rg-bilko-demo
-
Parent container




ACA Environment
bilko-demo-env
Consumption
Shared environment for all container apps




Container Registry
bilkodemo
ACR
Private image registry




PostgreSQL
bilko-demo-pg
Flexible, B_Standard_B1ms, PG16, zone 1
Main database




Key Vault
kv-bilko-demo2
-
2 access policies: managed_identity + terraform_user




Managed Identity
mi-bilko-demo
-
For ACA → Key Vault




App Insights
appi-bilko
-
+ action group appi-bilko-alerts




Availability Alert
-
-
→ alem@alai.no




5xx Metric Alert
-
-
→ alem@alai.no




Container App
bilko-api-demo
ACA
Adopted (ignore_changes)




Container App
bilko-web-demo
ACA
Adopted (ignore_changes)




Container App
bilko-unleash
ACA
Adopted (public Docker Hub image)




Container App
bilko-api-stage
ACA
Adopted (ignore_changes)




Container App
bilko-web-stage
ACA
Adopted (ignore_changes)




Firewall Rule
-
Postgres
FORGE runner 10.0.0.2/32







Module Map



Repo: infrastructure/azure/terraform/



graph LR
    ENV[envs/demo] --> RG[module: resource-group]
    ENV --> LA[module: log-analytics]
    ENV --> ACR[module: acr]
    ENV --> MI[module: managed-identity]
    ENV --> KV[module: keyvault]
    ENV --> PG[module: postgres]
    ENV --> ACAENV[module: aca-environment]
    ENV --> ACA1[module: aca-app bilko-api-demo]
    ENV --> ACA2[module: aca-app bilko-web-demo]
    ENV --> ACA3[module: aca-app bilko-unleash]
    ENV --> ACA4[module: aca-app bilko-api-stage]
    ENV --> ACA5[module: aca-app bilko-web-stage]
    ENV --> AI[module: app-insights]
    
    ACAENV --> LA
    ACA1 --> ACAENV
    ACA2 --> ACAENV
    ACA3 --> ACAENV
    ACA4 --> ACAENV
    ACA5 --> ACAENV




9 modules:


    

  1. resource-group
    2. 

  2. log-analytics
    3. 

  3. acr
    4. 

  4. managed-identity
    5. 

  5. keyvault
    6. 

  6. postgres
    7. 

  7. aca-environment
    8. 

  8. aca-app (reusable, 5 instances)
    9. 

  9. app-insights
    10. 




State Backend



Provider: azurerm (NOT GCS — gcloud out of the loop)



Backend config:


backend "azurerm" {
  storage_account_name = "stbilkotfstate"
  container_name       = "tfstate"
  key                  = "demo.terraform.tfstate"
}



Ops Access



To run terraform plan/apply manually:


export ARM_ACCESS_KEY=$(az storage account keys list -g rg-bilko-demo -n stbilkotfstate --query "[0].value" -o tsv)
cd infrastructure/azure/terraform/envs/demo
terraform plan



CI/CD



Workflow: azure-infra.yml



New workflow (added in this PR):




Boundary: Infra vs. App Rollout



CRITICAL: Infrastructure = Terraform; APP ROLLOUT stays imperative.







Concern
Tool
Location






Resource creation/config
Terraform
azure-infra.yml




App image rollout
az containerapp update --image
azure-stage.yml / azure-deploy.yml







Do NOT move rollout to Terraform. The aca-app module uses lifecycle { ignore_changes } on container image to preserve imperative rollout.



Adopt-vs-Managed Pattern



The aca-app module has TWO modes:



1. Managed (greenfield)


Full Terraform control of env vars, secrets, image, traffic weight.


ignore_env_secrets = false



2. Adopted (existing apps)


Terraform imports existing resource but ignores runtime config (env/secrets/image/revision_mode/custom_domain/traffic_weight). Used for the 5 hand-built apps adopted as-is.


ignore_env_secrets = true

lifecycle {
  ignore_changes = [
    template[0].container[0].image,
    template[0].container[0].env,
    secret,
    ingress[0].custom_domain,
    ingress[0].traffic_weight,
    template[0].revision_suffix
  ]
}



All 5 current apps use adopted mode:




Gotchas & Lessons



1. Adopted ACA updates trigger NEW REVISION


Issue: Even with ignore_changes, any Terraform change to an adopted container_app triggers a new revision (graceful zero-downtime rolling restart) — NOT a silent no-op.


Mitigation: Minimize unnecessary Terraform changes to adopted apps. Review plan carefully before apply.



2. ACA environment force-replacement bug


Issue: azurerm 3.x tries to force-replace ACA environment on unchanged log_analytics_workspace_id.


Fix: Added ignore_changes = [log_analytics_workspace_id] to aca-environment module.



3. Postgres zone must be pinned


Issue: Azure blocks zone changes on existing Postgres Flexible servers.


Fix: Hardcode zone = "1" + ignore_changes = [zone].



4. Public-image apps (unleash) must NOT get ACR registry block


Issue: Unleash pulls from Docker Hub, not ACR. If module tries to set ACR registry, plan fails.


Fix: Dynamic registry block gated on registry_username != null:


dynamic "registry" {
  for_each = var.registry_username != null ? [1] : []
  content { ... }
}



5. workload_profile_name drift


Issue: Imported apps have workload_profile_name = "Consumption". If not set in Terraform, drifts to null.


Fix: Explicitly set workload_profile_name = "Consumption" for adopted apps.



6. NEVER commit .terraform/ or local tfstate


Issue: .terraform/ contains 273MB provider binary. Local tfstate can leak secrets.


Fix: Added to .gitignore.



Runbook: Safe Plan/Apply



Local Development



# 1. Authenticate
az login
export ARM_ACCESS_KEY=$(az storage account keys list -g rg-bilko-demo -n stbilkotfstate --query "[0].value" -o tsv)

# 2. Navigate
cd infrastructure/azure/terraform/envs/demo

# 3. Plan
terraform init  # first time only
terraform plan

# 4. Apply (if safe)
terraform apply

# 5. Verify
az containerapp list -g rg-bilko-demo --query "[].{name:name, status:properties.provisioningState}" -o table



CI Apply (Production)



    

  1. Open PR with infrastructure changes
    2. 

  2. Review terraform plan output in PR checks
    3. 

  3. Merge PR to main
    4. 

  4. Go to Actions → azure-infra.yml → Run workflow
    5. 

  5. Set confirm input to APPLY
    6. 

  6. Monitor run
    7. 

  7. Verify resources in Azure Portal
    8. 




ZAKON PI2: Never auto-apply. Always manual approval for live customer demo environment.



Open Follow-ups







MC
Priority
Description






#103745
M
Migrate ACA secrets → Key Vault (live ACA secrets are write-only/unreadable; adopted apps still use manual secrets)




TBD
L
Narrow azure-stage.yml paths filter (coordinate with MC #103579)




TBD
M
Rotate live Unleash DB credentials (weak cred still active on running app)










MC #103720 (child of #103715) — ZAKON-PLAN mandatory documentation task
                                




Bilko Customer Funnel Architecture


Bilko Customer Funnel Architecture



Context: This page documents the customer acquisition funnel for Bilko (Azure production), covering instant demo and card-required trial flows across three country markets: HR (bilko.cloud), RS (bilko.io), and BA (bilko.company). Built as MC parent #103797, WP8 docs deliverable #103805.



THE FUNNEL



Each country landing (bilko.{cloud,io,company}) presents two CTAs:



    

  1. [Pogledaj demo] — Instant shared demo

      

    • Public GET /api/v1/auth/demo?country=HR|RS|BA
      • 

    • No signup required
      • 

    • Returns 60-minute read-only demo JWT with demo=true claim
      • 

    • Auto-login into the per-country seeded demo org
      • 

    • Rate-limited: 20/min, 100/hr per IP
      • 

    

    2. 

  2. [Probaj 7 dana] — Card-required 7-day trial

      

    • Entra CIAM signup (bilkociam tenant 20bb17de-9be5-4143-a7e5-8c1ddae6a064)
      • 

    • Card-required Stripe checkout (WP5, currently DEFERRED until live Stripe keys provisioned)
      • 

    • 7-day trial period
      • 

    • Auto-charge on day 8
      • 

    

    3. 




Funnel Flow Diagram


Landing bilko.{cloud,io,company}
 ├─ [Pogledaj demo]   → app.bilko.{cloud,io,company}/demo?country=HR|RS|BA
 │                       → GET /api/v1/auth/demo?country=  (public, no signup)
 │                       → 60-min read-only demo JWT → /dashboard + DemoBanner(conversion mode)
 └─ [Probaj 7 dana]   → app.bilko.{cloud,io,company}/register?country=…&plan=trial
                         → Entra CIAM signup → JIT org (BASIC tier, trialEndsAt=+7d)
                         → [DEFERRED] FORCED Stripe Checkout (card, trial_period_days=7, payment_method_collection=ALWAYS)
                         → subscription.created webhook → syncPlanTier → /dashboard (trial active)
                         → day 8: invoice.payment_succeeded → ACTIVE/PRO




BACKEND ARCHITECTURE



Demo Endpoint




DEMO_READ_ONLY Guard




Stripe Integration




Trial Engine (Reused)




FRONTEND ARCHITECTURE



Per-Country API Routing




Demo Web Route




Landing CTA Fixes (WP3)




Checkout Interstitial (WP5, DEFERRED)




MOBILE ARCHITECTURE





DEPLOYMENT



Deploy Method




Deploy Order (RISK-09)


Landing (CF Pages) vs app (ACA) are independent pipelines. Deploy order MUST be:


    

  1. WP2 (API) — /auth/demo endpoint live
    2. 

  2. WP4 (Web app) — /demo route
    3. 

  3. WP3 (Landing pages) — CTAs point to live endpoints
    4. 




Open Go-Live Prerequisites




WORKSTREAMS






WPMC #TitleOwnerStatus




WP1#103798Stripe enablement + webhook fixFlowForge + CodeCraft[verify]


WP2#103799Instant demo endpointCodeCraft[verify]


WP3#103800Landing CTA + copy fixesVizu[verify]


WP4#103801Demo web frontendVizu + CodeCraft[verify]


WP5#103802Card-required trial flowVizu + CodeCraftDEFERRED (Stripe keys blocker)


WP6#103803Mobile wiringSkybound[verify]


WP7#103804Infra hygieneFlowForge[verify]


WP8#103805Validation + docsProveo/Angie + SkillforgeIn progress (this page)


Deploy#103833Azure imperative deploy cutoverFlowForge[verify]






CRITICAL FILES



Backend




Web




Mobile




Landings




Infra




VALIDATION GATES (Proveo)



E2E Matrix


HR/RS/BA × {instant demo, card-trial} × {web, mobile-API}



Critical Tests




KEY RISKS





OUT OF SCOPE







Source of truth: Plan ~/.claude/plans/fluttering-swimming-cherny.md + MC parent #103797.

This page documents WP8 deliverable #103805 (Skillforge docs).

Last updated: 2026-06-17
                                




Bilko Add-On Catalog & Pricing Model (2026-06-19, CEO-approved)


Bilko Add-On Catalog & Pricing Model
CEO-Approved 2026-06-19 | MC #103934, Parent #103917
Executive Summary
This document captures the CEO-approved add-on monetization strategy for Bilko, derived from live Norwegian SaaS market research (Fiken, Tripletex) and validated against Balkan market dynamics.
Key Decision: Of the four originally-proposed add-ons (reminders, tax/porezna, calendar, payroll), only payroll is monetized as a recurring add-on. The others are either bundled in core plans or offered as one-time annual services.
1. Core Plans (What's Included)
All paid Bilko plans (Starter €15 / Growth €29 / Pro €49) include:
Rationale: Norwegian market evidence shows that reminders, calendars, and tax deadline tracking are core differentiators, not premium features. Fiken and Tripletex both bundle these in their base plans. Charging for them creates friction without revenue upside in the Balkan SMB market.
Knjigovodstvo/GL (Modul B) unlocks at PRO tier (€49/month). This is the largest revenue unlock for existing built functionality.
2. Paid Add-Ons (Recurring & One-Time)
2.1 Payroll / Plate (per country)
Price:
What's included:
Example scenarios:
Competitor precedent:
Strategic note: Payroll is the only of the original four targets that Norwegian competitors consistently monetize as a paid add-on. This is the anchor revenue unlock after GL goes live.
2.2 Bank Integration (Open Banking via Tok)
Price: €4/month per bank account connection
What's included:
Competitor precedent:
Strategic note: Bank integration is a standard per-connection add-on in Norwegian SaaS. Creates daily active usage and high retention.
2.3 Annual Accounts / Godišnji Obračun (one-time per year)
Price (one-time per year, per entity):
What's included:
Competitor precedent:
Strategic note: This is not a monthly subscription. It's a one-time annual service charge, mirroring the Norwegian pattern. Periodic VAT reporting is free/core; annual closing is where genuine accounting labor occurs.
2.4 Advanced Dunning (optional)
Price: €5/month
What's included:
Strategic note: Basic payment reminders are free in core per Norwegian precedent. Advanced multi-step sequences with SMS are an optional premium.
2.5 API Advanced (for integrators)
Price: €6/month
What's included:
Strategic note: Basic REST API read access is available in Growth/Pro plans. Advanced webhooks/events for integrators are an optional add-on, mirroring Fiken's NOK 99/month API add-on.
3. What Is NOT Monetized as Add-Ons
FeatureTreatmentRationale
Calendar / Deadlines (Kalendar obaveza)CORE (bundled in all paid plans)No Norwegian competitor sells a standalone calendar. Deadline protection is a trust-building differentiator vs. legacy tools like e-racuni/Minimax. Tax deadline misses in Balkans = severe penalties (Serbia: up to 100% of tax for late filing; Croatia: fines up to HRK 200,000). This is a core value prop, not a tax.
Basic reminders / dunningCORE (bundled in all paid plans)Both Fiken and Tripletex bundle payment reminders in core. Charging for this creates friction without revenue. Advanced dunning (5-step + SMS) is the optional premium.
VAT calculation + deadline remindersCORE (bundled in all paid plans)Periodic VAT reporting is a regulatory obligation, not a premium feature. Both Norwegian competitors include this free. Annual filing is the monetization point (one-time service).
4. Pricing Model Summary Table
Add-OnPriceModelCompetitor Evidence
Payroll (per country)€5/month module + €2/employee/monthPer-employee hybridFiken: NOK 79 + 39/emp; Tripletex: NOK 65/user
Bank integration (Open Banking via Tok)€4/month per bank accountPer-connectionFiken: NOK 59; Tripletex: NOK 49
Annual accounts (APR/FINA/UIO)€25–35 one-time per year per entityOne-time annual serviceFiken: NOK 1,290–1,490/year; Tripletex: NOK 990/year
Advanced dunning (5-step + SMS)€5/monthFlat optionalBasic bundled in both competitors
API advanced (webhooks/limits)€6/monthFlat optionalFiken: NOK 99/month for API add-on
5. Norwegian SaaS Precedent (Live Evidence 2026-06-19)
Fiken (fiken.no/priser)
Tripletex (tripletex.no/priser)
Key pattern: Both competitors monetize payroll heavily. Both give away reminders, calendars, and periodic tax reporting as core. Annual filing is a one-time service, not a subscription.
6. Decision Rationale — Why Only Payroll?
Of the CEO's four original add-on targets:
  1. (a) Reminders / dunning: Norwegian competitors bundle basic reminders in core. Monetizing them = friction without revenue.
  2. (b) Tax / porezna reminders: VAT deadline alerts are regulatory compliance, not a premium. Annual filing (APR/FINA/UIO) is monetized as a one-time service, not a monthly add-on.
  3. (c) Calendar / deadlines: No Norwegian competitor sells a standalone calendar. It's embedded UX, not a product line.
  4. (d) Payroll / plate: STRONGLY VALIDATED. Both Fiken and Tripletex charge per-employee/per-user. This is the only proven recurring add-on revenue opportunity.
Conclusion: Bilko's add-on revenue model should anchor on payroll (per-employee), with bank integration (per-connection) as secondary, and annual accounts as a one-time service. Everything else is core or tier-gated.
7. Implementation Priority
  1. Immediate unlock (days, not weeks): Flip BILKO_ACCOUNTING_GL=true for demo org → Knjigovodstvo/GL appears on demo; tie to PRO tier via existing planTier/Stripe entitlement. Requires operator flip + [VERIFY-NN] tax audit before auto-post + Proveo E2E (invoice → DRAFT → POSTED → GL).
  2. Anchor add-on (Phase 2 after GL live): Payroll/JOPPD module — the only proven recurring add-on. Greenfield build; board flagged as separate gate decision.
  3. Low-hanging fruit: Complete Reminders persistence + scheduler (currently API endpoint exists, lacks durable storage) as CORE, not add-on.
  4. Do NOT build: Standalone calendar monetization. Keep calendar as embedded core differentiator.
8. Sources
Approval: CEO (Alem Basic), 2026-06-19, MC #103934
Author: John (AI Director, ALAI Holding AS)
Publication: BookStack https://docs.alai.no/books/bilko
                                




Bilko HR e-Račun Archive — GCS→Azure Blob Migration (2026-06-22)


Bilko HR e-Račun Archive — GCS→Azure Blob Migration (2026-06-22)



Overview


MC: #104172 T3 (build) + T4b (deploy) + T5 (verify) + T6 (docs, this page)


Date: 2026-06-22


Status: Deployed to stage, live verified with real sveRačun TEST API



Root cause: Bilko's HR e-invoice archive used Google Cloud Storage (GCS) in project tribal-sign-487920-k0. That GCP project billing was killed 2026-06-14, making all GCS writes fail with HTTP 401. The archive write happens before the sveRačun API call, so HR e-invoice submit flow was completely blocked.



Solution: Migrate the archive from GCS to Azure Blob Storage (swedencentral, same region as Bilko API). Keep the same GcsArchiveClient interface for backwards compatibility, implement RealAzureBlobArchiveClient.



Architecture



Interface Contract (GcsArchiveClient)


The interface remains GcsArchiveClient (name is historical). Two implementations:




Write-Once Mechanism


The archive must be immutable. Both implementations enforce write-once:




Authentication (Managed Identity)


Azure Blob uses Azure Managed Identity (user-assigned MI) for authentication:




Environment Contract


The following env vars control archive behavior:






Env VarExampleNotes




ARCHIVE_BACKENDazure-blobSet to azure-blob to use Azure Blob. If unset, falls back to DEMO_MODE logic.


AZURE_EINVOICE_BLOB_ENDPOINThttps://stbilkohreinvoicedemo.blob.core.windows.netAzure Blob endpoint (required if ARCHIVE_BACKEND=azure-blob)


AZURE_EINVOICE_CONTAINERhr-einvoice-archiveBlob container name


AZURE_CLIENT_IDe569c4e7-59e5-40a1-9aa3-a0dba9ceb738User-assigned MI client ID (for DefaultAzureCredential)


DEMO_MODEtrueIf true and ARCHIVE_BACKEND is not set → InMemoryGcsArchiveClient






Precedence Rule (CRITICAL)


ARCHIVE_BACKEND takes precedence over DEMO_MODE.


DI binding (DI.kt lines 217-233):


val archiveBackend = System.getenv("ARCHIVE_BACKEND")
val archiveClient = when {
    archiveBackend == "azure-blob" -> RealAzureBlobArchiveClient(...)
    isDemoMode -> InMemoryGcsArchiveClient()
    else -> error("...")
}



This means: if ARCHIVE_BACKEND=azure-blob is set on stage (where DEMO_MODE=true), the Azure Blob client is selected, NOT the in-memory client.



Azure Infrastructure



Storage Account




Managed Identity




Deployment Procedure (Direct Deploy)



Context: The Azure DevOps pipeline branch policy "Bilko-CI-CD PR Validation" blocks merges to main due to flaky E2E UAT debt (MC #103954). The bypassPolicy permission is denied. Therefore, the fix was deployed DIRECTLY to stage using Azure CLI (az acr build + az containerapp update).



Steps


    

  1. ACR build: az acr build -r bilkodemo -t bilko-api:stage-{SHA} --platform linux/amd64 -f apps/api/Dockerfile.web apps/api/
    2. 

  2. ACA update: az containerapp update -n bilko-api-stage -g rg-bilko-demo --image bilkodemo.azurecr.io/bilko-api:stage-{SHA} + 4 new env vars (ARCHIVE_BACKEND, AZURE_EINVOICE_BLOB_ENDPOINT, AZURE_EINVOICE_CONTAINER, AZURE_CLIENT_ID)
    3. 

  3. Revision: New revision bilko-api-stage--0000026 created, serving 100% traffic
    4. 

  4. Health check: curl -s https://bilko-api-stage.purplebeach-f004d490.swedencentral.azurecontainerapps.io/api/v1/health → HTTP 200
    5. 




Branch: feat/azure-blob-archive-104172 on azdo remote (PR #16 remains open for future merge when CI gate is resolved)


Commit: e6100cf1223c345678856e5cf89512704528c3f6


Image: bilkodemo.azurecr.io/bilko-api:stage-e6100cf1 (digest: sha256:03aeda482ed311ebf15b54a27c4afaee749b556bc13b5cf1f10ff28b851d19b8)



Flyway Migration GOTCHA



Bilko API does NOT auto-apply Flyway migrations on startup.



Flyway's filesystem scanner detects 0 migrations at app boot (known issue: 98 SQL files detected but not resolved by the classpath resolver → "no migration could be resolved" → app continues without applying migrations).



The migration V99 (issuer config seed) was applied manually via direct psql connection to bilko-demo-pg.postgres.database.azure.com:


psql "host=bilko-demo-pg.postgres.database.azure.com port=5432 dbname=bilko user=bilko_admin sslmode=require" -f apps/api/src/main/resources/db/migration/V99__seed_hr_einvoice_issuer_config_demo.sql




V99 registered in flyway_schema_history with success=true. Two rows seeded:




In CI/CD pipeline context: The Azure DevOps pipeline has a dedicated Flyway_Migrate stage that applies migrations. For direct deploys (bypassing CI), migrations must be applied manually.



Live Proof (T5 Verification)



Test: Submit a real HR e-invoice to sveRačun TEST API via stage.



    

  1. Issuer config enabled: UPDATE hr_einvoice_issuer_config SET enabled = TRUE WHERE org_id = '00000000-0000-0029-c000-000000000001' (HR demo org only, not all orgs)
    2. 

  2. Submit: POST /api/v1/invoices/{invoice_id}/submit-to-sveracun (invoice INV-HR-2026-001, EUR 3000.00)
    3. 

  3. Result: HTTP 200, submissionId: a3b0234b-9a6e-4c60-8368-b51da030a0f2, documentId: 6a390b5faf982834ab4306fb (real sveRačun TEST document ID, not mock)
    4. 

  4. Azure Blob written: az storage blob list --account-name stbilkohreinvoicedemo --container-name hr-einvoice-archive → blob 00000000-0000-0029-c000-000000000001/2026/2026-000001/a3b0234b-9a6e-4c60-8368-b51da030a0f2.xml (5960 bytes, contentType=application/xml)
    5. 




SVERACUN_HR_LIVE stayed false (confirmed via az containerapp show env check). The sveRačun call was made to TEST API (https://test.sveracun.hr/api), not live production.



PROD 11-Year WORM/Immutable Retention (Future)



Croatian law requires e-invoice archives to be retained for 11 years with immutable (WORM) protection. The current Azure Blob configuration has versioning enabled, but does NOT have time-based retention policy or legal hold.



This is a separate follow-on task (not in MC #104172 scope). Before Bilko HR goes live to paying customers:




Evidence Bundle




References




Authored by: Skillforge (ALAI Holding AS documentation team)

Date: 2026-06-22

MC: #104172 T6